CN115967635A - Design method and device of automobile communication middleware DDS - Google Patents
Design method and device of automobile communication middleware DDS Download PDFInfo
- Publication number
- CN115967635A CN115967635A CN202211633900.0A CN202211633900A CN115967635A CN 115967635 A CN115967635 A CN 115967635A CN 202211633900 A CN202211633900 A CN 202211633900A CN 115967635 A CN115967635 A CN 115967635A
- Authority
- CN
- China
- Prior art keywords
- functional
- determining
- safety
- communication middleware
- dds
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
- Y02T10/00—Road transport of goods or passengers
- Y02T10/10—Internal combustion engine [ICE] based vehicles
- Y02T10/40—Engine management systems
Abstract
The invention discloses a design method and a device of a DDS (direct digital synthesizer) of an automobile communication middleware, which relate to the field of automobile communication and comprise the following steps: determining functional abnormity of the DDS communication middleware in the vehicle communication process and a hazard event caused by the functional abnormity; performing risk assessment on the hazard event caused by the dysfunction, and determining the highest risk level of the hazard event caused by the dysfunction; if the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to the functional types to obtain various functional abnormalities, and determining the top-level safety requirements of the various functional abnormalities; formulating a safety mechanism based on top layer safety requirements and various functional abnormalities, and determining a safety state of the DDS communication middleware when various functional abnormalities are detected; and finishing the design of the DDS communication middleware which meets the functional safety requirement based on a safety mechanism and a safety state. By applying the technical scheme, the designed DDS communication middleware can meet the functional safety requirement.
Description
Technical Field
The invention relates to the field of automobile communication, in particular to a design method and device of an automobile communication middleware DDS.
Background
In the intelligent networked vehicle, the information received and processed by the vehicle is far superior to that of a traditional vehicle, and in order to realize rapid communication of each node, each manufacturer has started to deploy DDS (Data Distribution Service) communication middleware in the vehicle.
Currently, the prior art focuses more on deploying DDS communication middleware in the electronic/electrical system of a vehicle to control, manage and optimize the data flow transmitted in the network. However, if the DDS communication middleware is out of function, the vehicle data cannot be interacted correctly, and an uncontrollable vehicle risk is caused.
Disclosure of Invention
The invention provides a design method and a device of a DDS (direct digital synthesizer) of an automobile communication middleware, which mainly aim to ensure that the designed DDS communication middleware meets the functional safety requirement, so that the risk can be controlled within a reasonable range.
According to a first aspect of an embodiment of the present invention, a method for designing a DDS for an automotive communication middleware is provided, including:
determining functional abnormity of the DDS communication middleware in the vehicle communication process and hazard events caused by the functional abnormity in different driving scenes;
performing risk assessment on the hazard events caused by the dysfunction in different driving scenes, and determining the highest risk level of the hazard events caused by the dysfunction;
if the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to functional types to obtain various functional abnormalities, and determining top-level safety requirements corresponding to the various functional abnormalities;
formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities, and determining a safety state entered by the DDS communication middleware when the various functional abnormalities are detected;
and finishing the design of the DDS communication middleware which meets the functional safety requirement based on the safety mechanism and the safety state.
According to a second aspect of the embodiments of the present invention, there is provided a device for designing a DDS in an automotive communication middleware, including:
the device comprises a determining unit, a processing unit and a display unit, wherein the determining unit is used for determining the functional abnormity of the DDS communication middleware in the vehicle communication process and the hazard events caused by the functional abnormity in different driving scenes;
the evaluation unit is used for carrying out risk evaluation on the hazard events caused by the dysfunction in different driving scenes and determining the highest risk level of the hazard events caused by the dysfunction;
the determining unit is further configured to classify the functional abnormalities according to functional types to obtain various functional abnormalities and determine top-level safety requirements corresponding to the various functional abnormalities if it is determined that the system needs to analyze according to functional safety standards according to the highest risk level;
the formulating unit is used for formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities and determining the safety state of the DDS communication middleware when the various functional abnormalities are detected;
and the design unit is used for finishing the design of the DDS communication middleware meeting the functional safety requirement based on the safety mechanism and the safety state.
According to a third aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
determining functional abnormity of the DDS communication middleware in the vehicle communication process and hazard events caused by the functional abnormity in different driving scenes;
performing risk assessment on the hazard events caused by the dysfunction in different driving scenes, and determining the highest risk level of the hazard events caused by the dysfunction;
if the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to functional types to obtain various functional abnormalities, and determining top-level safety requirements corresponding to the various functional abnormalities;
formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities, and determining a safety state entered by the DDS communication middleware when the various functional abnormalities are detected;
and completing the design of the DDS communication middleware meeting the functional safety requirements based on the safety mechanism and the safety state.
According to a fourth aspect of the embodiments of the present invention, there is provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the program:
determining functional abnormity of the DDS communication middleware in the vehicle communication process and hazard events caused by the functional abnormity in different driving scenes;
performing risk assessment on the hazard events caused by the dysfunction in different driving scenes, and determining the highest risk level of the hazard events caused by the dysfunction;
if the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to functional types to obtain various functional abnormalities, and determining top-level safety requirements corresponding to the various functional abnormalities;
formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities, and determining a safety state entered by the DDS communication middleware when the various functional abnormalities are detected;
and finishing the design of the DDS communication middleware which meets the functional safety requirement based on the safety mechanism and the safety state.
The innovation points of the embodiment of the invention comprise:
1. the adoption of errors common in industrial communication to assume the dysfunction of the DDS communication middleware is one of the innovative points of the embodiment of the invention.
2. The function safety analysis is performed on the assumed function abnormity based on the function safety standard, and a safety mechanism is provided, so that the designed DDS communication middleware can be ensured to meet the function safety requirement, which is one of the innovative points of the embodiment of the invention.
Compared with the prior art, the design method and the device for the automobile communication middleware DDS provided by the invention can determine the function abnormity of the DDS communication middleware in the vehicle communication process and the hazard events caused by the function abnormity in different driving scenes, carry out risk evaluation on the hazard events caused by the function abnormity in different driving scenes, determine the highest risk level of the hazard events caused by the function abnormity, classify the function abnormity according to function types if the system needs to be analyzed according to the function safety standard according to the highest risk level, determine the top layer safety requirements corresponding to the various function abnormity, simultaneously, formulate the corresponding safety mechanism based on the top layer safety requirements and the various function abnormity, determine the safety state of the DDS communication middleware when the various function abnormity is detected, and finally complete the design of the communication middleware meeting the function safety requirements based on the safety mechanism and the safety state. Therefore, by assuming that functional abnormity occurs in the DDS communication process and performing risk evaluation on the hazard event caused by the functional abnormity, the invention can obtain top-level safety requirements aiming at the hazard event with ASIL grade after the risk evaluation and provide a corresponding safety mechanism, thereby being capable of detecting errors at the source and ensuring that the communication middleware enters a safety state, so that the designed DDS communication middleware can meet the functional safety requirements and the risk can be controlled within a reasonable range.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 shows a flow chart of a design method of a vehicle communication middleware DDS provided by an embodiment of the invention;
fig. 2 is a schematic structural diagram illustrating a device for designing a vehicle communication middleware DDS, provided by an embodiment of the invention;
fig. 3 is a schematic structural diagram illustrating another device for designing a vehicle communication middleware DDS, provided by an embodiment of the invention;
fig. 4 shows a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
It is to be noted that the terms "comprises" and "comprising" and any variations thereof in the embodiments and drawings of the present invention are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In the prior art, once the function of the DDS communication middleware is abnormal, vehicle data cannot be interacted correctly, and an uncontrollable vehicle risk is caused.
In order to overcome the above disadvantages, an embodiment of the present invention provides a method for designing a DDS in an automotive communication middleware, as shown in fig. 1, the method includes:
step 101, determining a functional abnormality of the DDS communication middleware in a vehicle communication process and a hazard event caused by the functional abnormality in different driving scenes.
The functional abnormality comprises corruption, accidental repetition, wrong sequence, loss, unacceptable delay, insertion, disguise and addressing error, and different driving scenes comprise that automatic driving runs at high speed on a highway, a vehicle is just started and the like.
The embodiment of the invention is mainly suitable for a scene of carrying out concept design on DDS communication middleware. The execution subject of the embodiment of the invention is a device or equipment capable of carrying out concept design on DDS communication middleware based on a SEooC method.
For the embodiment of the present invention, in order to design a DDS communication middleware that meets the functional security requirement, it is necessary to assume common functional abnormalities of the DDS communication middleware, where the assumed functional abnormalities specifically include corruption, accidental repetition, wrong order, loss, unacceptable delay, insertion, disguise, and addressing error. The corruption is that a message may be damaged due to an error in a bus communication participant, an error on a transmission medium, or message interference; accidental repetition means that an old message that is not updated is repeated at an incorrect time point due to an error or interference; the misordering refers to that due to errors or interference, a predetermined sequence (such as a natural number and a time reference) related to a specific source point message is incorrect; loss refers to a message or acknowledgement not received due to error or interference; unacceptable delay refers to a message that may be delayed beyond its allowed arrival window, e.g., due to errors on the transmission medium, congested transmission routes, interference, or due to the sender being in a mode where service is delayed or denied; insertion means that a message related to an unexpected or unknown source entity is received due to error or interference; masquerading means that a message associated with an apparently valid source point entity is inserted due to an error or interference, and thus a non-security-related message may be received by a security-related communication participant and processed as a security-related message.
Further, when the above-mentioned function abnormality of the DDS communication middleware occurs, the vehicle cannot receive the real data, so that the vehicle cannot correctly determine its situation, causing a hazard, and in a specific driving scenario, such a hazard will directly cause a hazard event, causing damage to passengers on the vehicle and pedestrians outside the vehicle, i.e., causing a hazard result. For example, the specific driving scenario is that the vehicle runs on a highway at a high speed, and at this time, if the above-mentioned function abnormality occurs in the DDS communication middleware, the hazard caused by the function abnormality is shown in table 1.
TABLE 1
And 102, performing risk assessment on the hazard events caused by the dysfunction in different driving scenes, and determining the highest risk level of the hazard events caused by the dysfunction.
For the embodiment of the invention, after determining the hazard events caused by the abnormal functions in different driving scenes, risk evaluation can be performed on the hazard events caused by the abnormal functions in different driving scenes from three dimensions of severity, controllability and exposure rate to obtain the risk grades corresponding to various hazard events, and then the highest risk grade of the hazard events caused by the abnormal functions is determined according to the risk grades corresponding to various hazard events.
It should be noted that, because the DDS communication middleware designed in the embodiment of the present invention is oriented to the automobile industry, the entire vehicle includes a plurality of ECU units, and the hazard events caused by the same communication function abnormality in different ECU units are likely to be different, so the obtained risk levels are also different.
Step 103, if it is determined that the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to functional types to obtain various functional abnormalities, and determining top-level safety requirements corresponding to the various functional abnormalities.
For the embodiment of the invention, if the analyzed highest risk level is QM, the damage event caused by the abnormal function is within an acceptable range, and the abnormal function does not need to be detected by additional functional safety requirements, namely, the subsequent analysis is not needed according to the functional safety standard; on the contrary, if the analyzed highest risk level is not QM, it is necessary to avoid occurrence of a hazard event, and at this time, it is necessary for the DDS communication middleware to detect the malfunction, control the hazard event within a reasonable range, classify and integrate the malfunction security if necessary, and determine the top-level security requirement corresponding to the malfunction security, as shown in table 2.
TABLE 2
The data integrity refers to that for safety-related applications, data integrity guarantee should be provided so as to detect and process data corruption caused by external errors or interference; sequence integrity refers to providing sequence integrity assurance for safety-related applications to detect and handle unexpected duplicate, out-of-sequence, lost, inserted, and other hazardous events; time integrity means that for safety-related applications, a time integrity guarantee should be provided to detect and process whether the delay of data is within a predefined range; source integrity means that for security-related applications, source integrity guarantees should be provided to ensure that data is delivered to the correct communication participant and that the data is coming from the correct source.
And 104, formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities, and determining the safety state of the DDS communication middleware when the various functional abnormalities are detected.
For the embodiment of the present invention, since the hazard event is caused by a functional abnormality of the DDS communication middleware, a security mechanism needs to be defined to detect the assumed functional abnormality in the communication, thereby ensuring the implementation of the top-level requirement. Meanwhile, a corresponding safety state needs to be set for the function abnormality, so that when the function abnormality assumed in the communication is detected, the DDS communication middleware can enter the safety state, and the harm caused by the harm event is controlled within a reasonable range.
And 105, completing the design of the DDS communication middleware meeting the functional safety requirements based on the safety mechanism and the safety state.
For an optional embodiment of the present disclosure, the risk assessment of the hazard event caused by the dysfunction in different driving scenarios, and the determining the highest risk level of the hazard event caused by the dysfunction, include: performing risk evaluation on the hazard events caused by the dysfunction in different driving scenes to obtain the risk grades of the hazard events caused by the dysfunction in different driving scenes; and determining the highest risk level of the hazard event caused by the dysfunction according to the risk levels of the hazard event caused by the dysfunction in different driving scenes.
Further, the risk assessment of the hazard event caused by the dysfunction in different driving scenes to obtain the risk level of the hazard event caused by the dysfunction in different driving scenes includes: determining the severity of the hazard event according to the hazard consequence corresponding to the hazard event; determining the controllability of the hazard event according to the control capacity of a driver on the hazard event when the hazard event occurs; determining an exposure rate of a driving scenario when the hazard event occurs; and determining a risk level corresponding to the hazard event based on the severity, the controllability and the exposure rate.
Specifically, after determining hazard events caused by abnormal functions in different driving scenes, performing risk assessment on the hazard events from three dimensions of severity S, controllability C and exposure rate E, classifying the hazard events according to a risk assessment result (SEC), and if the same hazard events have the same ASIL grade, merging the hazard events; if the same hazard event has different ASIL levels, subsequent analysis is performed according to the highest ASIL level.
Wherein, the severity comprises four grades, namely S0, S1, S2 and S3, S0 represents no injury, S1 represents mild and moderate injury, S2 represents severe injury (if any, possible), and S3 represents fatal injury; the exposure rate includes four levels, E1, E2, E3, and E4, respectively, with E1 representing a very low probability, E2 representing a low probability, E3 representing a medium probability, and E4 representing a high probability; controllability includes four levels, C0, C1, C2, and C3, respectively, with C0 representing fully controllable, C1 representing simply controllable, C2 representing generally controllable, and C3 representing difficult to control.
Therefore, through evaluation, the grades of various hazard events in three dimensions of severity, controllability and exposure rate can be obtained, then the grades of various hazard events in the three dimensions are integrated, and the final risk grade corresponding to various hazard events can be determined, as shown in table 3, the risk grade comprises ASIL a, ASIL B, ASIL C, ASIL D and QM, wherein ASIL a, ASIL B, ASIL C and ASIL D represent that the risk of the hazard events is not in a reasonable range, extra requirements are needed to detect functional abnormality, namely, subsequent analysis needs to be performed according to functional safety standards, the grade of ASIL D is highest, the grade of ASIL a is lowest, and the higher grade represents that the hazard is larger; QM represents that the risk of a hazardous event is within a reasonable range.
TABLE 3
For example, when a vehicle has a hazard event in tables 1 and 2 during automatic driving, the driving scene of the vehicle on a highway is very common, the exposure rate may be determined as E4, if the driver is not involved in driving, the controllability of the driver on the hazard event is low, the controllability may be determined as C3, meanwhile, the severity of the hazard event to passengers and pedestrians may be determined as S3, in which case, the risk level corresponding to the hazard event may be finally determined as ASIL D.
It should be noted that, because the DDS communication middleware designed in the embodiment of the present invention is oriented to the automobile industry, the entire vehicle includes a plurality of ECU units, and the hazard events caused by the same communication function abnormality in different ECU units are likely to be different, so the obtained risk levels are also different. For example, for the vehicle body domain, if the same communication function abnormality occurs during communication, it causes a hazard event different from that in the autonomous driving domain, and a different ASIL level or QM will be derived by the evaluation. The product designed by the embodiment of the invention belongs to communication middleware and can be applied to any communication node (ECU) in a vehicle.
Further, for product compatibility and security, the embodiment of the present invention will develop DDS communication middleware according to the requirement of the highest level ASIL D in the functional security standard, and thus can satisfy the requirements of QM, ASIL D, ASIL C, ASIL B, and ASIL a. In addition, because the top-level requirement obtained by the product aims at detecting the function abnormity in communication and controlling the harm caused by the harm event in a reasonable range, and the product is developed according to the highest level, the product can be used as long as the assumed function abnormity of the product is the same as the communication function abnormity of any ECU in the vehicle.
For an optional implementation manner of the present disclosure, after the highest risk level of the hazard event caused by the functional abnormality is analyzed, it may be determined whether the system currently needs to perform subsequent analysis according to the functional safety standard according to the highest risk level. Based on this, the method further comprises: if the highest risk level is an ASIL level, determining that the system currently needs additional requirements to detect or avoid functional safety abnormity, namely the system currently needs to perform subsequent analysis according to functional safety standards; and if the highest risk level is the QM level, determining that the system does not need to perform subsequent analysis according to the functional safety standard currently.
Specifically, if the highest risk level is any one of ASIL D, ASIL C, ASIL B, and ASIL a, it indicates that the system currently needs to perform subsequent analysis according to functional safety standards, that is, needs to avoid occurrence of a hazard event, and control the risk within a reasonable range; if the highest risk level is a QM level, it indicates that the system currently does not need to perform subsequent analysis against functional safety standards.
For an alternative embodiment of the present disclosure, the exception functions may be divided into four categories, where the first category of function exceptions includes corruption, the second category of function exceptions includes unacceptable latency, the third category of function exceptions includes addressing errors, insertion, and spoofing, and the fourth category of function exceptions includes unexpected repetitions, misordering, temporary misses, and permanent misses. And aiming at each type of function abnormity, top-level requirements can be obtained, and a corresponding safety mechanism is formulated. Based on the above, the formulating a corresponding security mechanism based on the top-level security requirement and the various functional anomalies includes: when the top layer security requirement is data integrity, CRC check codes of an issuing end and a subscribing end are respectively calculated, if the CRC check codes of the issuing end and the subscribing end are inconsistent, the first type of function abnormity is determined to occur, and the DDS communication middleware is controlled to enter a security state; when the top layer security requirement is time integrity, respectively detecting a first time interval between messages continuously sent by the issuing end and a second time interval between messages continuously received by the subscribing end, if the first time interval or the second time interval is greater than a maximum time interval, determining that the second type of function is abnormal, and controlling the DDS communication middleware to enter a security state; when the top layer security requirement is source integrity, detecting received data at the subscription end based on a source identifier, if the received data is from an error source, determining that the third type of function abnormality occurs, and controlling the DDS communication middleware to enter a security state; and when the top layer security requirement is time sequence integrity, the subscription terminal detects the data sent by the issuing terminal based on the timestamp and the sequence number, if the subscription terminal does not receive the data according to the correct time sequence, the fourth type of function abnormity is determined to occur, and the DDS communication middleware is controlled to enter a security state.
When a security mechanism is established for the first kind of functional abnormality (corruption), the designed DDS communication middleware ensures that data at the publishing terminal and the subscribing terminal are consistent, prevents data from being corrupted in a transmission process, and thus ensures the integrity of the data. Specifically, the CRC check may be performed on the published data at the publishing end, and the CRC check code may be added to the data, the CRC check code may be calculated on the received data at the subscribing end in the same calculation manner, and compared with the CRC check code at the publishing end, if the CRC check codes of the two are not consistent, the DDS communication middleware reports the fault information to the user, and waits for the user to process the fault information.
Further, the top-level security requirement corresponding to the second type of dysfunction (unacceptable delay) is time integrity, and when a security mechanism is formulated for the second type of dysfunction (unacceptable delay), the designed DDS communication middleware is to ensure that the issuing end sends data within the deadline of each data period, and the subscribing end receives data within the deadline of each data period, so as to prevent the delay of sending and receiving data, thereby ensuring the time integrity. Specifically, a timestamp, that is, the time when the message is sent, may be added when the issuing end issues the message, and a maximum time interval between two consecutive messages is defined, and then the issuing end may detect the timestamp between consecutive messages, and if the maximum time interval is exceeded, the DDS communication middleware may report the fault information to the user, and wait for the user to process the fault information; similarly, a timestamp, that is, the time when the message is received, may be added when the subscriber receives the message, and a maximum time interval between two consecutive messages is defined, and then the subscriber may detect the timestamp between consecutive received messages, and if the maximum time interval is exceeded, the DDS communication middleware may report the fault information to the user, and wait for the user to process the fault information.
Further, the top-level security requirement corresponding to the third kind of dysfunction (addressing error, insertion and disguise) is source integrity, and when a security mechanism is formulated for the third kind of dysfunction (addressing error, insertion and disguise), the designed DDS communication middleware is to ensure that all messages issued by the issuing end are received by the matched subscriber and come from the correct source, thereby ensuring the source integrity. Specifically, at the publishing end, a source identifier may be added to each piece of data to be published, and at the subscribing end, a source integrity check is performed on the received data based on the source identifier to ensure that the data is from a correct source, thereby preventing addressing errors, pretending and insertion from causing a vehicle hazard event, and if the subscribing end finds that the received data is from an unexpected source, the DDS communication middleware may report failure information to a user, and wait for the user to process the failure information.
Further, the top-level security requirement corresponding to the fourth type of dysfunction (unexpected repetition, out-of-order, temporary loss, and permanent loss) is the integrity of the timing sequence, and when a security mechanism is formulated for the fourth type of dysfunction (unexpected repetition, out-of-order, temporary loss, and permanent loss), the designed DDS communication middleware is to ensure that all messages issued by the issuing end are received by the matched subscribing end and received in the correct timing sequence, thereby ensuring the integrity of the timing sequence. Specifically, at the publishing end, a sequence number may be added to each piece of data to be published, and sequence integrity check may be performed on the received data based on the sequence number at the subscribing end to ensure that the sequence of the received data is consistent with the sequence published by the publishing end, where the sequence number is generated in an arithmetic progression, the maximum value of the sequence number is the maximum value of the number of data sent each time, and the minimum value of the sequence number is 1. In addition, the timestamp added when the issuing end issues the message and the sequence number added when the issuing end issues the message are in the same direction and are increased, and the sequence of the sequence numbers is ensured to be increased according to time. A timing integrity check may be performed on the received data at the subscriber based on the timestamp and sequence number to ensure that the data is received in the correct timing to prevent accidental duplication, misordering, and loss. The loss can be divided into temporary loss and permanent loss, wherein the temporary loss refers to packet loss in the transmission process and can be retransmitted for the second time; the permanent loss means that the issuing end loses packet and cannot retransmit the message.
Further, if the subscriber finds that the received data has a problem, and the problem is out of order, unexpected repetition or temporary loss, the DDS communication middleware can automatically repair the fault, i.e. notify the distributor to resend the data, and does not report error information to the user. If it is not possible to continuously retransmit the data, an error message needs to be reported to the user. Further, if the subscriber finds that the received data has a problem and the problem is a permanent loss, the DDS communication middleware may report a failure message to the user and wait for the user to process the failure message.
In an optional implementation manner of the present disclosure, the determining a security state that the DDS communication middleware enters when the various types of functional abnormalities are detected includes: when the sequence is wrong, repeated accidentally and temporarily lost, the DDS communication middleware automatically repairs; when corruption, delay, permanent loss, insertion, camouflage and addressing errors occur, the DDS communication middleware reports fault information to a user and waits for the user to process the fault information. It should be noted that if it is not possible to continuously retransmit data, an error message needs to be reported to the user. The top-level security requirements obtained by the embodiment of the invention, the established security mechanism and the security state are shown in the following table.
TABLE 4
In an alternative embodiment of the present disclosure, the customer needs to confirm the validity of the SEoC-based assumptions when integrating the designed DDS communication middleware into the customer software. Based on this, the method further comprises: and when the DDS communication middleware is integrated into client software, verifying whether the DDS communication middleware is consistent with the requirements of clients. Specifically, when the DDS communication middleware is integrated, it is necessary to confirm whether or not a function security exception assumed by the DDS communication middleware is consistent with the requirements of the customer, and whether or not the integration is performed according to the requirements of a security manual provided by the supplier. After the DDS communication middleware is integrated, whether the DDS communication middleware is consistent with the requirements of customers needs to be verified, and if the conditions are met, the integrated DDS communication middleware meets the functional safety requirements.
According to the design method of the automobile communication middleware DDS provided by the embodiment of the invention, by assuming the function abnormity occurring in the DDS communication process and carrying out risk evaluation on the hazard event caused by the function abnormity, the top-level safety requirement can be obtained aiming at the hazard event with ASIL grade after the risk evaluation, and the corresponding safety mechanism is provided, so that the error can be detected fundamentally, the communication middleware is ensured to enter a safety state, and therefore, the designed DDS communication middleware can meet the function safety requirement, and the risk can be controlled within a reasonable range.
Further, as a specific implementation of fig. 1, an embodiment of the present invention provides a device for designing a DDS in an automotive communication middleware, where as shown in fig. 2, the device includes: a determination unit 31, an evaluation unit 32, a formulation unit 33 and a design unit 34.
The determining unit 31 may be configured to determine a malfunction of the DDS communication middleware during the vehicle communication process, and a hazard event caused by the malfunction in different driving scenarios.
The evaluation unit 32 may be configured to perform risk evaluation on the hazard events caused by the functional abnormality in different driving scenarios, and determine a highest risk level of the hazard events caused by the functional abnormality.
The determining unit 31 may be further configured to, if it is determined that the system needs to perform analysis according to a functional safety standard according to the highest risk level, classify the functional abnormalities according to functional types to obtain various functional abnormalities, and determine top-level safety requirements corresponding to the various functional abnormalities.
The formulating unit 33 may be configured to formulate a corresponding security mechanism based on the top layer security requirement and the various kinds of functional anomalies, and determine a security state that the DDS communication middleware enters when the various kinds of functional anomalies are detected.
The design unit 34 may be configured to complete the design of the DDS communication middleware satisfying the functional safety requirement based on the safety mechanism and the safety state.
In a specific application scenario, the evaluation unit 32, as shown in fig. 3, includes: an evaluation module 321 and a determination module 322.
The evaluation module 321 may be configured to perform risk evaluation on the hazard events caused by the functional abnormality in different driving scenarios, so as to obtain risk levels of the hazard events caused by the functional abnormality in different driving scenarios.
The determining module 322 may be configured to determine a highest risk level of a hazard event caused by the functional abnormality according to risk levels of hazard events caused by the functional abnormality in different driving scenarios.
Further, the evaluation module 321 may be specifically configured to determine the severity of the hazard event according to a hazard consequence corresponding to the hazard event; determining controllability of the hazard event according to control capacity of a driver on the hazard event when the hazard event occurs; determining an exposure rate of a driving scenario when the hazard event occurs; and determining a risk level corresponding to the hazard event based on the severity, the controllability and the exposure rate.
In a specific application scenario, the determining unit 31 may be further configured to determine that the system currently needs to perform subsequent analysis according to a functional safety standard if the highest risk level is an ASIL level; and if the highest risk level is the QM level, determining that the system does not need to perform subsequent analysis according to the functional safety standard currently.
In a specific application scenario, the various functional abnormalities include a first functional abnormality, a second functional abnormality, a third functional abnormality, and a fourth functional abnormality, and the formulating unit 33 may be specifically configured to, when the top-level security requirement is data integrity, calculate CRC check codes of a publishing end and a subscribing end respectively, determine that the first functional abnormality occurs if the CRC check code of the publishing end is not consistent with the CRC check code of the subscribing end, and control the DDS communication middleware to enter a secure state, where the first functional abnormality includes corruption; when the top layer security requirement is time integrity, respectively detecting a first time interval between messages continuously sent by the issuing end and a second time interval between messages continuously received by the subscribing end, if the first time interval or the second time interval is greater than a maximum time interval, determining that the second type of function abnormality occurs, and controlling the DDS communication middleware to enter a security state, wherein the second type of function abnormality comprises unacceptable delay; when the top layer security requirement is source integrity, detecting received data based on a source identifier at the subscription end, if the received data is from an error source, determining that the third type of functional abnormality occurs, and controlling the DDS communication middleware to enter a secure state, wherein the third type of functional abnormality comprises addressing error, insertion and disguise; when the top-level security requirement is time sequence integrity, the subscription end detects data sent by the issuing end based on a timestamp and a sequence number, if the subscription end does not receive the data according to a correct time sequence, it is determined that a fourth type of function abnormity occurs, and the DDS communication middleware is controlled to enter a security state, wherein the fourth type of function abnormity comprises accidental repetition, wrong sequence, temporary loss and permanent loss.
In a specific application scenario, the formulating unit 33 may be further specifically configured to repair the DDS communication middleware by itself when an error sequence, an unexpected repetition, or a temporary loss occurs; when corruption, delay, permanent loss, insertion, disguise and addressing errors occur, the DDS communication middleware reports fault information to a user and waits for the user to process.
In a specific application scenario, the apparatus further includes: an authentication unit 35.
The verification unit 35 may be configured to verify whether the DDS communication middleware is consistent with the requirements of the client when the DDS communication middleware is integrated into the client software.
It should be noted that other corresponding descriptions of the functional modules related to the device for designing a DDS in an automotive communication middleware provided in the embodiment of the present invention may refer to the corresponding descriptions of the method shown in fig. 1, and are not described herein again.
Based on the method shown in fig. 1, correspondingly, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the following steps: determining functional abnormity of the DDS communication middleware in the vehicle communication process and hazard events caused by the functional abnormity in different driving scenes; performing risk evaluation on the hazard events caused by the dysfunction in different driving scenes, and determining the highest risk level of the hazard events caused by the dysfunction; if the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to functional types to obtain various functional abnormalities, and determining top-level safety requirements corresponding to the various functional abnormalities; formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities, and determining a safety state entered by the DDS communication middleware when the various functional abnormalities are detected; and finishing the design of the DDS communication middleware which meets the functional safety requirement based on the safety mechanism and the safety state.
Based on the above embodiments of the method shown in fig. 1 and the apparatus shown in fig. 2, an embodiment of the present invention further provides an entity structure diagram of an electronic device, as shown in fig. 4, where the electronic device includes: a processor 41, a memory 42, and a computer program stored on the memory 42 and executable on the processor, wherein the memory 42 and the processor 41 are both arranged on a bus 43 such that when the processor 41 executes the program, the following steps are performed: determining functional abnormity of the DDS communication middleware in the vehicle communication process and hazard events caused by the functional abnormity in different driving scenes; performing risk assessment on the hazard events caused by the dysfunction in different driving scenes, and determining the highest risk level of the hazard events caused by the dysfunction; if the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to functional types to obtain various functional abnormalities, and determining top-level safety requirements corresponding to the various functional abnormalities; formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities, and determining a safety state entered by the DDS communication middleware when the various functional abnormalities are detected; and finishing the design of the DDS communication middleware which meets the functional safety requirement based on the safety mechanism and the safety state.
According to the embodiment of the invention, by assuming the functional abnormity appearing in the DDS communication process and carrying out risk evaluation on the hazard event caused by the functional abnormity, the top layer safety requirement can be obtained aiming at the hazard event with ASIL grade after the risk evaluation, and the corresponding safety mechanism is provided, so that the error can be detected fundamentally, the communication middleware is ensured to enter a safety state, the designed DDS communication middleware can meet the functional safety requirement, and the risk can be controlled within a reasonable range.
Those of ordinary skill in the art will understand that: the figures are merely schematic representations of one embodiment, and the blocks or flow diagrams in the figures are not necessarily required to practice the present invention.
Those of ordinary skill in the art will understand that: modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, or may be located in one or more devices different from the embodiments with corresponding changes. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A design method of a vehicle communication middleware DDS is characterized by comprising the following steps:
determining functional abnormity of the DDS communication middleware in the vehicle communication process and hazard events caused by the functional abnormity in different driving scenes;
performing risk assessment on the hazard events caused by the dysfunction in different driving scenes, and determining the highest risk level of the hazard events caused by the dysfunction;
if the system needs to be analyzed according to the functional safety standard according to the highest risk level, classifying the functional abnormalities according to functional types to obtain various functional abnormalities, and determining top-level safety requirements corresponding to the various functional abnormalities;
formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities, and determining a safety state entered by the DDS communication middleware when the various functional abnormalities are detected;
and finishing the design of the DDS communication middleware which meets the functional safety requirement based on the safety mechanism and the safety state.
2. The method of claim 1, wherein the risk assessment of the hazard event caused by the dysfunction in different driving scenarios, determining a highest risk level of the hazard event caused by the dysfunction, comprises:
performing risk evaluation on the hazard events caused by the dysfunction in different driving scenes to obtain the risk grades of the hazard events caused by the dysfunction in different driving scenes;
and determining the highest risk level of the hazard event caused by the dysfunction according to the risk levels of the hazard event caused by the dysfunction in different driving scenes.
3. The method of claim 2, wherein the risk assessment of the hazard event caused by the dysfunction in different driving scenarios, resulting in a risk rating of the hazard event caused by the dysfunction in different driving scenarios, comprises:
determining the severity of the hazard event according to the hazard consequence corresponding to the hazard event;
determining controllability of the hazard event according to control capacity of a driver on the hazard event when the hazard event occurs;
determining an exposure rate of a driving scenario when the hazard event occurs;
and determining a risk level corresponding to the hazard event based on the severity, the controllability and the exposure rate.
4. The method of claim 2, further comprising:
if the highest risk level is an ASIL level, determining that the system needs to perform subsequent analysis according to a functional safety standard at present;
and if the highest risk level is the QM level, determining that the system does not need to perform subsequent analysis according to the functional safety standard currently.
5. The method of claim 1, wherein the various functional anomalies include a first functional anomaly, a second functional anomaly, a third functional anomaly, and a fourth functional anomaly, and wherein formulating a corresponding security mechanism based on the top-level security requirement and the various functional anomalies comprises:
when the top-level security requirement is data integrity, CRC check codes of a publishing end and a subscribing end are respectively calculated, if the CRC check codes of the publishing end and the subscribing end are inconsistent, the first-class functional abnormity is determined to occur, and the DDS communication middleware is controlled to enter a security state, wherein the first-class functional abnormity comprises corruption;
when the top layer security requirement is time integrity, respectively detecting a first time interval between messages continuously sent by the issuing end and a second time interval between messages continuously received by the subscribing end, if the first time interval or the second time interval is greater than a maximum time interval, determining that the second type of function abnormality occurs, and controlling the DDS communication middleware to enter a security state, wherein the second type of function abnormality comprises unacceptable delay;
when the top layer security requirement is source integrity, detecting received data based on a source identifier at the subscription end, if the received data is from an error source, determining that the third type of functional abnormality occurs, and controlling the DDS communication middleware to enter a secure state, wherein the third type of functional abnormality comprises addressing error, insertion and disguise;
when the top-level security requirement is time sequence integrity, the subscription end detects data sent by the issuing end based on a timestamp and a sequence number, if the subscription end does not receive the data according to a correct time sequence, it is determined that a fourth type of function abnormity occurs, and the DDS communication middleware is controlled to enter a security state, wherein the fourth type of function abnormity comprises accidental repetition, wrong sequence, temporary loss and permanent loss.
6. The method according to claim 5, wherein the determining the security state entered by the DDS communication middleware when the various types of malfunctions are detected comprises:
when the sequence is wrong, repeated accidentally and temporarily lost, the DDS communication middleware automatically repairs;
when corruption, delay, permanent loss, insertion, disguise and addressing errors occur, the DDS communication middleware reports fault information to a user and waits for the user to process.
7. The method according to any one of claims 1-6, further comprising:
and when the DDS communication middleware is integrated into client software, verifying whether the DDS communication middleware is consistent with the requirements of clients.
8. A design device of vehicle communication middleware DDS is characterized by comprising:
the device comprises a determining unit, a processing unit and a processing unit, wherein the determining unit is used for determining the functional abnormality of the DDS communication middleware in the vehicle communication process and the hazard event caused by the functional abnormality in different driving scenes;
the evaluation unit is used for carrying out risk evaluation on the hazard events caused by the dysfunction in different driving scenes and determining the highest risk level of the hazard events caused by the dysfunction;
the determining unit is further configured to classify the functional abnormalities according to functional types to obtain various functional abnormalities and determine top-level safety requirements corresponding to the various functional abnormalities if it is determined that the system needs to analyze according to functional safety standards according to the highest risk level;
the formulating unit is used for formulating a corresponding safety mechanism based on the top layer safety requirement and the various functional abnormalities and determining a safety state entered by the DDS communication middleware when the various functional abnormalities are detected;
and the design unit is used for completing the design of the DDS communication middleware meeting the functional safety requirement based on the safety mechanism and the safety state.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the computer program, when executed by the processor, implements the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211633900.0A CN115967635A (en) | 2022-12-19 | 2022-12-19 | Design method and device of automobile communication middleware DDS |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211633900.0A CN115967635A (en) | 2022-12-19 | 2022-12-19 | Design method and device of automobile communication middleware DDS |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115967635A true CN115967635A (en) | 2023-04-14 |
Family
ID=87359223
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211633900.0A Pending CN115967635A (en) | 2022-12-19 | 2022-12-19 | Design method and device of automobile communication middleware DDS |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115967635A (en) |
-
2022
- 2022-12-19 CN CN202211633900.0A patent/CN115967635A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10791125B2 (en) | End-to-end controller protection and message authentication | |
| Schmittner et al. | FMVEA for safety and security analysis of intelligent and cooperative vehicles | |
| US20190123908A1 (en) | Arithmetic Device, Authentication System, and Authentication Method | |
| CN107306185B (en) | Method and device for avoiding manipulation of data transmission | |
| JP2011523749A (en) | Method for providing service based on tag information, and corresponding tag and tag reader | |
| JP2018045392A (en) | Network monitoring device, network system and program | |
| US10721241B2 (en) | Method for protecting a vehicle network against manipulated data transmission | |
| JP2003229875A (en) | Method for recognizing data transmission error in can controller, can controller, program, recording medium, and control device | |
| CN112492016B (en) | Cross-process extensible consensus method and system | |
| CN112529577A (en) | Block chain cross-chain system and method based on excitation treatment | |
| AU2011211641A1 (en) | Onboard transponder device and method of confirming soundness thereof | |
| US9154285B2 (en) | Communications apparatus, system and method with error mitigation | |
| JP2008530626A (en) | Method for monitoring program execution in a microcomputer | |
| JP2017079429A (en) | Communication system, control device, and control method | |
| CN115967635A (en) | Design method and device of automobile communication middleware DDS | |
| CN111149336B (en) | Method for detecting an attack on a control unit of a vehicle | |
| US7607050B2 (en) | Method and control system for recognizing a fault when processing data in a processing system | |
| CN106921619B (en) | Associated event processing method and device | |
| CN110855499A (en) | Exception handling method and device | |
| CN112991066A (en) | Consensus method and device in alliance chain and electronic equipment | |
| CN107769959B (en) | Automatic deployment system and method for deploying server sites on server | |
| CN107203564B (en) | Data transmission method, device and system | |
| CN111443623A (en) | Safety protection device and method based on vehicle CAN bus structure | |
| US11212295B2 (en) | Data communication method and apparatus for vehicle network | |
| CN116781608B (en) | Data transmission system, method, electronic device and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |