160 likes | 290 Views
Model based development for function safety Continental Automotive France Philippe CUENOT OFFIS Thomas PEIKENKAMP. Model based development for function safety. Process overview Hazard Analysis Items definition Architecture and Safety Concept Qualitative Safety Analysis
E N D
Model based development for function safety Continental Automotive FrancePhilippe CUENOT OFFIS Thomas PEIKENKAMP
Model based development for function safety • Process overview • Hazard Analysis • Items definition • Architecture and Safety Concept • Qualitative Safety Analysis • Quantitative Safety Analysis • Conclusion Continental Automotive / Philippe Cuenot / OFFIS / Thomas Peikenkamp / 2012.09.25
Process overview (not including safety management) • Main input for the hazard analysis: Definition of the Item (under investigation), including • Dependencies/interaction with other items of the vehicle • Dependencies/interaction with the environment of the vehicle (including the driver and possibly other traffic participants) • Identify & model hazards (resp. hazardous events) • In model-based development we would expect that all identified hazardous events can be “executed” within the model • For each hazard a safety goal for hazard avoidance/mitigation needs to be identified • Result of hazard analysis shall enable the validation of the Functional Safety Concept • Initiate the Functional Safety Concept using architecture model OFFIS / Thomas Peikenkamp / 2012.09.25
Process overview (not including safety management) • Qualitative Analysis and rework of the Functional Safety Concept • Demonstrate that function failure do not violating the safety goal using model based techniques (Failure Mode as model property) • Develop the Technical Safety Concept • Refine architecture model and perform allocation of Logical Function into SW or HW Functional Block model • Qualitative Analysis of technical Safety Concept • Demonstrate that HW and SW function failure do not violating the safety goal (not cut set of order 1) using model based techniques • Quantitative Analysis of technical Safety Concept • Metrics and probabilistic calculation (FIT defined as model property) • Develop HW and SW component (and then verify) OFFIS / Thomas Peikenkamp / 2012.09.25
Hazard Analysis Contributing Factors • Several factors are contributing to the occurrence of hazardous events • For traceability reasons ISO 26262 requires the analysis • to identify these factors • to show how they contribute OFFIS / Thomas Peikenkamp / 2012.09.25
Hazard AnalysisFormalization • Formal description of hazardous events should identify • identify each factor • show how it is contributing to its occurrence • Hazard: partial loss of steering function • Factor contributing to hazardous event: Controllability of torque on steering wheel OFFIS / Thomas Peikenkamp / 2012.09.25
Hazard AnalysisModeling Needs • An abstract model of the item/vehicle is used to identify the concepts needed within the hazard formalization (no design model!) • Includes the hazard formalization • Items are characterized from different perspectives within this model … OFFIS / Thomas Peikenkamp / 2012.09.25
Items definition • The item (under investigation) and other items of the vehicle have to be looked at from different perspectives when describing hazards and safety goals: • How is the item used within vehicle/environment? • Operational perspective • How does it interact with other items? • Functional perspective • Where is it installed within vehicle? • Geometrical perspective • What is the HW/SW architecture of the item? • Technical perspective Need for adequate architecture model … OFFIS / Thomas Peikenkamp / 2012.09.25
Architecture and Safety ConceptArchitecture abstraction* *From SPES Meta Model architecture (OFFIS) Continental Automotive / Philippe Cuenot / 2012.09.25
Architecture and Safety ConceptMapping with EAST-ADL/AUTOSAR Continental Automotive / Philippe Cuenot / 2012.09.25
Qualitative Safety Analysis (mix of inductive and deductive methods) System decomposition Hazard analysis Safety Goal Merged FTA / ETA/… FE FMEA Generated FTA / ETA /.. Generated FTA / .. FMEDA Generated FTA / … Generated FTA / … Step 1: Elementary block failure mode analysis (Dysfunctional behavior) Step 2: Tag of each block safety contribution (function, diagnosis, mechanism…) Step 3: Generation of propagation for Qualitative analysis (FTA / ETA /…) Continental Automotive / Philippe Cuenot / 2012.09.25
Quantitative Safety Analysis Hardware electronic component Electronics HW Architecture (Function Blocks) EAST-ADL / HDA Hardware Block Matching Requirement structural organization Includes safety mechanism Describing Function and Interface Driver μP Top Level Hardware Safety Requirement from safety qualitative analysis Component X shall not contribute to Hardware Block Failure Mode Monitoring Power Supply Package Allocation Hardware Safety Req. Electronic Package Allocation Additional hardware safety requirement ASICx shall integrate Safety Mechanism 1 FPGAX shall ensure independence between Function 1 and Function 2 FPGA1 C1 Electronic Design Component Super Set (ASIC1 + C1+ …) Next step for qualitative analysis μP ASIC1 Electronics HW Schematic (Components) AUTOSAR ECU Ress Temp. (IP-XACT match) Continental Automotive / Philippe Cuenot / 2012.09.25
Quantitative Safety Analysis FIT allocation to hardware component Failure Mode Identification Electronics HW architecture (Blocks) Quantification based on Function Block Component FIT allocation for HW component Super Set (from generic design) Allocation (from electronic component and project) Calculation Metrics Verification Target versus Calculated FIT from HW component PS: Same concept of allocation/calculation can be applied to DC Continental Automotive / Philippe Cuenot / 2012.09.25
Quantitative Safety Analysis Hardware component metrics contribution Quantification based on HW electronic Component Electronic Components Super Sets Failure Mode Analysis Quantitative contribution to Top level hardware safety requirement (as failure mode FMxx) Inductive methods for analysis of electronic component failure Made by specialist as electronic designer and use reliability data base Use reliability block diagram or failure mode and effect Analysis Allocation of failure and ratio of component FIT to block failure mode (λFMxx) Calculation or direct Reliability Block Diagram FMEA style Serial (AND): λC1oc * λASIC1 Parallel (OR): λC1o + λASIC1 Complex Truth Table Modeling: Σ((λC1oc*λASIC1)+(λC1ccg*λASIC1)) as simplification of OR and AND combination) Continental Automotive / Philippe Cuenot / 2012.09.25
Conclusion • Benefit of approach • Hazard: allows (semi-) formal verification for future • Architecture: clear separation of design and implementation • Reduce time for safety analysis (library and generation approach) • Standardized safety element exchange • SAFE current status • 1st extension of EAST-ADL Meta model • Hardware relevant element : metrics, failure… • Hazard and situation using formal semantic • Formalism for qualitative analysis under revision (FTA / EVA…) Continental Automotive / Philippe Cuenot / OFFIS / Thomas Peikenkamp / 2012.09.25
Thank you for your attentionWe value your opinion and questions