AGRICULTURE
A Focus on Safety
For years, NovAtel has developed safety critical systems for the aviation industry, where precise satellite measurement information is vital. Now the company is using the experience and knowledge gained in the aviation space to enter a new market—a market with even more stringent performance expectations and a need for positioning accuracy.
NovAtel intends to become the solutions provider that makes driverless cars a common sight on our roadways, providing the autonomous driving positioning reference. To that end, NovAtel formed a specialized Safety Critical Systems group in 2015 and tasked the new team of engineers with creating safe Global Navigation Satellite System (GNSS) positioning technology for driverless cars and autonomous applications in markets such as mining and agriculture.
The growing team is made up of engineers from a variety of backgrounds, including aviation, commercial, safety and automotive, said Jonathan Auld, NovAtel’s director of safety critical systems. All are talented professionals that he handpicked himself to take on this challenging task.
“This is not a trivial problem to solve. You can’t wave a wand over a product to make it safe,” Auld said. “You can’t take a product to the lab, do a test, and declare it safe. There are design considerations and engineer process considerations you have to take into account.”
Why is NovAtel interested in leading the way for precise positioning in this application market? It just makes sense, said Auld. The company is known for its high-precision products that deliver centimetre- and decimetre-level performance. Because of its reputation in the industry, clients who plan to move to autonomous vehicles began turning to NovAtel for a positioning solution that’s not only precise, but that also meets safety standards.
Car manufacturers, many of which use NovAtel as their reference positioning system, also wanted to know if NovAtel could achieve centimetre accuracy in driverless cars, while still meeting industry safety standards, necessary production volumes, and the required price point.
The simple answer is ‘yes,’ according to Auld. The team is already working on this groundbreaking initiative and leveraging what they learned during NovAtel’s participation in the Federal Aviation Administration (FAA) GPS Wide Area Augmentation System (WAAS) project, a Satellite-Based Augmentation System (SBAS) that evolved through three generations of certified GNSS receivers provided by the company.
Meeting stringent safety standards will mean a lot more time and effort will go into the product development process, Auld said, which takes a special type of team to successfully execute. They’re ready for the challenges that come with providing a safety-critical GNSS solution for the automotive industry, and, because of their experience with safety certification, they know what to expect throughout the process, from laying out the initial objectives to completing the final design.
A Different Process from the Start
From the very beginning, when developing a safety-certified product, engineers have to look at it differently than a standard commercial product, Auld said. Before they can even get started, “They must determine the safety goal of the system they are designing and how it integrates with other parts of the overall system.”
“You have to think about how it’s going to fit into the whole equation,” Auld said. “It starts from day one with setting the requirements and carries on from there. There are also additional steps that need to be taken throughout the development cycle. There’s mandated deliverables and procedures you have to execute—for example, failure mode assessment—that aren’t always completed during standard commercial development.”
Engineers must consider the different ways the system can fail, Auld said, and what will happen if it actually does fail or provide misleading information. For example, if a safety-certified receiver outputs a position, it also outputs a quality indicator. If the receiver says it’s accurate to one metre but is actually outside that envelope, it represents misleading information that could lead to problems—especially if you’re talking about driverless cars, which must be able to identify exactly where they are on the road at all times. This scenario is identified as hazard in the image below. Examples of safe failure and safe operation protection are also illustrated.
“These products have extra algorithms that predict and provide qualification on the position that’s coming out so that you know that it’s good or, conversely, so you know not to trust it because you can’t make sure it’s safe,” Auld said. “Both of those are equally important.”
From Concept to Verification
Once the team finalizes safety goals and objectives to determine what the projected performance will be—which, for receivers, is positioning accuracy and the expected reliability of that position—they move on to the concept phase, Auld explained. During this phase, engineers develop the proposed architecture that meets the outlined objectives and then complete a Failure Mode Effects Analysis (FMEA) that takes a step-by-step approach to identifying all possible failures in a design. As they develop the prototype, they ask themselves what could go wrong and the different ways the system might not work as expected.
From there, engineers incorporate mitigations into the design to minimize the chance of something going wrong, and to prove they can meet the outlined safety objectives, Auld said. Strict coding and design standards must be followed when writing the firmware, which will further minimize the chance of future problems while also possibly constraining how the team can develop the product.
“You have to perform various levels of verification on the software and the hardware,” Auld added. “Instead of ‘black box’ testing, you might have to go into the code and make sure every line is justified, executed, and individually behaving itself.”
While developing these products, engineers must address different levels of safety. While for some products achieving the overall safety level may only add a small amount of time to the development process, the time added to designing products with higher safety standards can be quite substantial.
Testing and Regulatory Approval
With safety-certified products, it’s not just a matter of building a prototype and then testing it when it’s finished, Auld explained. Various testing and verification activities are built into the product development process at every step, starting with verifying the system specifications.
“Verification steps are staged throughout the process with the objective of finding problems as early as possible so they can be fixed before the end of the project. That’s good design practice anyway,” Auld said. “In a lot of cases you build the prototype, get it working, then conduct extensive testing on it. In this case that would still happen, but leading up to the prototype there are verification steps throughout the process.”
At the end of a project, receiving approval doesn’t depend on a regulatory agency so much as members of the industry the product is designed for. In the aviation world, for example, aircraft manufacturers and related experts take the team through an approval audit to ensure they carried out the required due diligence during the design process. This includes not only delivering on and executing all the necessary steps, but also producing evidence that they completed each necessary task.
“You don’t send the product to a lab to get certified,” Auld said. “It’s different depending on the industry, but it all comes down to an audit. Someone looks at the process you followed and at the design artifacts you generated and confirms that you’ve done your due diligence.”
NovAtel completed this process with the FAA and worked with them to develop three generations of the WAAS-certified GNSS receiver, an extremely accurate navigation system made up of the equipment and software that augments the Department of Defense (DoD) GPS Standard Positioning Service.
The system, which incorporates four ground reference networks, provides a Signal-In-Space (SIS) to WAAS users that supports all phases of flight. The latest generation, NovAtel’s WAAS G-III receiver, which the FAA began fielding in 2015, adds the ability to process the GPS L1C, L2C, and L5 signals, as well as all current and planned GPS civil signals plus L2 semi-codeless.
Auld was involved in developing the second and third generations of the WAAS receiver and learned the difficulties associated with taking a standard commercial product and turning it into a safety-certified solution. The team had to go back to basic principles and ask itself various safety-related questions to confirm the engineers were on the right track and developing a product that would meet all of the strict standards.
This often limits how engineers can use or implement a product, Auld said, because the objective is to be as deterministic as possible in the product’s performance. But it can also drive innovation because it forces the team to figure out a new way of doing things.
“Just because you did it one way for several years doesn’t matter. You have to think about how to solve the problem a little differently because you can’t do it that way anymore,” Auld said. “And that’s a lot of work.”
When developing the second generation of the WAAS receiver, the team was tasked with making sure the new product performed as closely as possible to the legacy receiver, Auld said, so that it could still operate within the WAAS network and meet all the safety requirements without affecting the network’s performance.
When the NovAtel team came back to the FAA with plans for enhanced features, the FAA told them not to move forward, but to keep the product the way it was.
Why? The improvements hadn’t been verified inside the safety standards; so, even though the engineering team was excited about the expanded capabilities, they had to essentially downgrade the system to ensure it continued to meet the strict safety requirements.
“Eventually the improvements were put into the receiver, but they had to be incorporated in a very careful, methodical, and deterministic way,” Auld said. “We had to take our time and make sure we filled in all the check boxes.”
A History of WAAS
NovAtel has a long history of working closely with the FAA that dates back to the 1990s.
The GPS Wide Area Augmentation System began in 1992 after approval of a mission need for enhanced satellite navigation capability for civil aviation. It became an official program two years later.
NovAtel was involved from the beginning, internally designing and funding the first reference receiver for this safety-critical system. The FAA first purchased and fielded the NovAtel receivers in the late 1990s.
WAAS reached its initial operating capability in July 2003 and is now made up of 38 reference stations, three master stations, and six uplink stations that support three L1/L5 Geostationary Earth Orbit (GEO) satellites transmitting differential corrections and integrity messages to aircraft. WAAS reference stations are located throughout North America including sites at northern latitudes of Alaska and Canada and southern latitudes of Mexico.
For more on WAAS, read “Modernizing a Safety Critical System"
While the aviation and automotive projects are similar, as far as the deliverables and what the team will need to achieve, additional challenges come with working in the driverless vehicle space, Auld said. First, the automotive industry’s performance expectations are more stringent than what they experienced in the aviation world. The positioning must be even more accurate and employ carrier phase positioning techniques such as Precise Point Positioning (PPP) and Real-Time Kinematic (RTK). Code-phase positioning solutions are used on the aviation side.
The challenge becomes, Auld said, finding a way to use a carrier-phase solution and layering on the safety element—something that hasn’t been done before in the automotive use case.
“We know how to do PPP and we know how to do RTK and deliver corrections over satellite. All that is done. Now how do you do all that with the expectation that you can deliver on the safety side of it as well,” Auld asked. “There is no existing solution to that problem in the market today. We’re blazing the trail here.”
The team already has ideas, concepts and proposals, but they still have to prove them out to achieve the level of performance the automotive industry mandates, Auld said.
The other challenge is price. NovAtel sells products that typically cost thousands of dollars, but that won’t work in the automotive space. The automotive industry is used to paying significantly less than that which means the team also needs to find ways to keep costs down.
“Our commercial products are very high end, very flexible and very adaptable to different problems,” Auld said. “In this instance we have to design for a specific use case and optimize the cost for that, plus deliver the performance we have in standard products and layer on the safety component.”
Although a challenging task, NovAtel will leverage its experience in the aviation industry and its knowledge of what it takes to design safety-certified products to create positioning solutions for autonomous vehicles in a variety of commercial markets, including agriculture, mining and the automotive space. It will take some time to develop and NovAtel will face many challenges along the way. Eventually our partners and us will provide the GNSS solution that enables driverless cars to travel safely and reliably on our roadways.