AWS for Industries
Swift Navigation uses AWS to run ISO 26262 certified workloads
Swift Navigation is a leader in precise positioning technologies for automotive, IoT, and mobile applications. Swift’s Skylark Precise Positioning Service is a cloud-based Global Navigation Satellite Systems (GNSS) corrections service designed to improve positioning accuracy to as little as two centimeters. Skylark is built to meet the highest standards of quality, safety, and integrity for the automotive industry, and is highly configurable to meet the needs of a wide variety of use cases across multiple industries. Today, Skylark powers vehicles and devices worldwide with high accuracy location. Swift runs Skylark on AWS to help deliver the reliability, security, and scalability necessary to help support location-enabled products.
Functional Safety for Automotive
In response to the increasing complexity of modern vehicles, automotive manufacturers and suppliers worldwide have widely adopted the ISO 26262:2018 “Road Vehicles Functional Safety” international standard for production vehicle electrical and electronic systems design, development, operation, and maintenance. This voluntary standard provides a risk-based approach to help ensure that appropriate safety measures are in place for the operation of vehicles where potential hazards are identified. It provides detailed guidance on the management of functional safety through organizational safety culture and policies, and defines systematic and structured approaches to identify hazards, estimate risk levels, and implement appropriate risk mitigation.
Key aspects of achieving functional safety during the entire development lifecycle, from concept through production, include:
- Assessing the required functions and performance levels of vehicle systems, including software and hardware components.
- Identifying potential risks and failure modes that could impact safety. This includes assigning Automotive Safety Integrity Levels (ASILs), from ASIL A (lowest risk) to ASIL D (highest risk), based on the severity, controllability, and likelihood of occurrence of the failure. The higher the ASIL, the more stringent the safety requirements, and the more rigorous the development process must be under ISO 26262.
- Implementing measures to mitigate risks, such as error detection, correction capabilities, and adding redundancy.
- Validating through testing and analysis that the required safety levels are achieved before vehicles are released.
Precise-Positioning Challenge
GNSS entail the use of global satellite constellations, such as GPS Navstar, Galileo, and Beidou, that broadcast signals that are used to determine the absolute position, velocity, and time (PVT) of the receiver fitted to the vehicle, with a typical positioning accuracy of approximately 3 meters. The vehicle’s onboard systems combine this calculated position with geographic mapping data for navigation purposes. High levels of vehicle autonomy are driving a requirement for high-precision positioning performance, with less than 4 centimeters margin of error.
Swift Navigation provides the required high-precision positioning performance through their Skylark Precise Positioning Service, coupled with compatible positioning engines typically found in commercial GNSS receivers. Skylark is able to estimate the observable biases and changing errors that contribute to the vehicle’s final positioning performance (Figure 1), and provide that information to the vehicle’s navigation systems in the form of GNSS corrections data. By receiving independent measurement data from a spatially distributed network of reference stations in different regions of the world, Skylark processes this data in real-time, and simultaneously distributes the GNSS correction data to the vehicles using the service. By running on AWS, Skylark provides an emulated in-vehicle sensor, virtualized beyond the physical boundary of the vehicle, which helps to deliver a reliable, scalable, and secure service worldwide.
Figure 1. Sources of GNSS Error
A key component of Skylark’s precise positioning service is the ability to provide GNSS corrections data that meets the functional safety standards required by automotive customers. In April 2024, an independent third-party auditor, UL Solutions, determined that Swift Navigation achieved compliance with the ISO 26262 standard for its Skylark solution.
Swift Navigation’s Solution on AWS
In traditional automotive electrical architectures, the software control applications and safety monitoring are limited to running on the in-vehicle electronic control units (ECUs). Skylark uses Amazon Elastic Cloud Computing (EC2) service diverse core architectures, and the scalability, high availability, and security of AWS services to help meet the intent of the ISO 26262 Functional Safety standard. In addition, through regular security audits and assessments, Swift has also demonstrated compliance with other ISO certifications, including ISO 27001 Information Security and ISO/SAE 21434:2021 “Road vehicles – Cybersecurity engineering”.
Swift has designed, architected, and tested Skylark to demonstrate functional safety compliance to their third-party independent auditor by employing, in part, the following AWS service features:
- Diversified infrastructure environments using Amazon EC2 Graviton (ARM) and x86 instances;
- Fault tolerance and isolation using multiple Availability Zones;
- Highly available and auto-scalable deployments;
- Real-time monitoring of issues and incident management; and
- Tools for security and compliance to help Swift’s customers collect certification information.
Developed under ISO 26262’s Safety Element out of Context (SEooC) concept, Skylark supports generation of GNSS correction data through software functions developed with Swift Navigation’s Quality Management (QM) processes in accordance with ISO 9001 and ASPICE standards. Adopting this approach provides the required safety mechanisms to achieve ISO 26262 ASIL B standard, tailored for the SEooC lifecycle.
Figure 2. Skylark Precise Positioning Service – Functional Block Diagram
Skylark maintains the probability of failure below the target integrity risk by employing two independent Integrity Chains used to verify the integrity of the corrections data and the associated GNSS data. The type of faults detectable by Skylark fall into the following two categories:
Table 1. Skylark Precise Positioning Service – Fault Monitors
When a failure is detected, or GNSS data cannot be verified, Skyklark’s Correction Checkers transmit high-level and low-level flags to the vehicle to indicate that all or part of the corrections data and associated GNSS data should not be used.
Typically, Skylark’s vehicle connection is through a mobile cellular (GSM) network, and connection loss is to be expected during periods of poor network quality. In this event, the vehicle’s connection state is simply detected, and does not introduce a safety risk. However, a risk can occur if the vehicle applies Skylark’s corrections data that has been flagged as Invalid or Not-Monitored, or has not been confirmed as verified by Skylark’s two independent Correction Checkers. To mitigate this risk, the OEM’s in-vehicle onboard systems are responsible for monitoring Skylark’s corrections data flags, and maintaining an appropriate vehicle state.
Skylark has been designed by Swift with independence and redundancy built into different layers of the architecture. Skylark’s design includes resilience such that a failure in any single part of the system does not cause a system-wide service disruption or undetected computation/corruption error in the GNSS corrections data.
As illustrated in Figure 3, Amazon EKS provides automatic scaling and high availability of the Kubernetes Control Plane by deploying nodes across multiple AWS Availability Zones and monitoring Control Plane Node instance load and health. Similarly, Swift achieves high availability of the Kubernetes Data Plane by deploying Amazon EKS Worker Nodes across three or more AWS Availability Zones.
Figure 3. Resilient Multi-Zone design with Amazon EKS
Figure 4 shows how Skylark is deployed by Swift in multiple AWS Availability Zones and Amazon EKS Clusters using Amazon EC2 Graviton (ARM) and x86-based Amazon EKS Worker Node instances. Swift’s deployment satisfies Skylark’s requirements for independent cross-checking, redundancy, and resilience.
Figure 4. Conceptual safety design of Skylark precise positioning service
Skylark collects satellite positioning data from two independent spatially distributed networks of GNSS reference stations, and uses Skylarks’ ASIL-certified independent monitoring functions deployed on Amazon EC2 Graviton (ARM) and x86-based instances to perform validation checks for its GNSS Corrections Generators. The vehicles receiving Skylark’s GNSS corrections data perform additional ASIL-certified integrity checks to ensure the final validity of the in-vehicle precise-positioning calculation.
Conclusion
For automotive functional safety related applications, automakers and their Tier-n suppliers must have a systematic, risk-based approach and rigorous design to help minimize potential failures. Swift Navigation’s Skylark Precise Positioning Service is designed to achieve independent calculations and validation through diverse processing channels which are powered, in part, by Amazon EC2 Graviton (ARM) and x86-based instances deployed in multiple Availability Zones, with a reliable, scalable, on-demand infrastructure on AWS.
To help customers during their certification process, AWS supports 143 security standards and compliance certifications as described on the AWS Compliance Programs page, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, ISO/IEC 27001:2022, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 20000-1:2018, 9001:2015, and CSA STAR CCM v4.0 and NIST 800-171.
For additional details, please reach out to our Automotive Industry teams. Learn more about Swift Navigation.