Model based development for function safety Continental Automotive France Philippe CUENOT OFFIS

Model based development for function safety

Continental Automotive FrancePhilippe CUENOT

OFFISThomas PEIKENKAMP

ITEA 2 ~ 10039

Model based development for function safety

• Process overview

• Hazard Analysis

• Items definition

• Architecture and Safety Concept

• Qualitative Safety Analysis

• Quantitative Safety Analysis

• Conclusion

Continental Automotive / Philippe Cuenot / OFFIS / Thomas Peikenkamp / 2012.09.25

ITEA 2 ~ 10039

Process overview (not including safety management)

• Main input for the hazard analysis: Definition of the Item (under investigation), including

– Dependencies/interaction with other items of the vehicle

– Dependencies/interaction with the environment of the vehicle (including the driver and possibly other traffic participants)

• Identify & model hazards (resp. hazardous events)

– In model-based development we would expect that all identified hazardous events can be “executed” within the model

– For each hazard a safety goal for hazard avoidance/mitigation needs to be identified

• Result of hazard analysis shall enable the validation of the Functional Safety Concept

• Initiate the Functional Safety Concept using architecture model

OFFIS / Thomas Peikenkamp / 2012.09.25

ITEA 2 ~ 10039

Process overview (not including safety management)

• Qualitative Analysis and rework of the Functional Safety Concept

– Demonstrate that function failure do not violating the safety goal using model based techniques (Failure Mode as model property)

• Develop the Technical Safety Concept

– Refine architecture model and perform allocation of Logical Function into SW or HW Functional Block model

• Qualitative Analysis of technical Safety Concept

– Demonstrate that HW and SW function failure do not violating the safety goal (not cut set of order 1) using model based techniques

• Quantitative Analysis of technical Safety Concept

– Metrics and probabilistic calculation (FIT defined as model property)

• Develop HW and SW component (and then verify)


ITEA 2 ~ 10039

Hazard Analysis Contributing Factors


• Several factors are contributing to the occurrence of hazardous events

• For traceability reasons ISO 26262 requires the analysis

– to identify these factors

– to show how they contribute

ITEA 2 ~ 10039

Hazard AnalysisFormalization


• Formal description of hazardous events should identify

– identify each factor

– show how it is contributing to its occurrence

Hazard: partial loss of steering functionFactor contributing to hazardous event: Controllability of torque on steering wheel

ITEA 2 ~ 10039

Hazard AnalysisModeling Needs


• An abstract model of the item/vehicle is used to identify the concepts needed within the hazard formalization (no design model!)

• Includes the hazard formalization

• Items are characterized from different perspectives within this model …

ITEA 2 ~ 10039

Items definition


• The item (under investigation) and other items of the vehicle have to be looked at from different perspectives when describing hazards and safety goals:– How is the item used within vehicle/environment?

Operational perspective

– How does it interact with other items?

Functional perspective

– Where is it installed within vehicle?

Geometrical perspective

– What is the HW/SW architecture of the item?

Technical perspective

Need for adequate architecture model …

ITEA 2 ~ 10039

Architecture and Safety ConceptArchitecture abstraction*

*From SPES Meta Model architecture (OFFIS)Continental Automotive / Philippe Cuenot / 2012.09.25

ITEA 2 ~ 10039

Architecture and Safety ConceptMapping with EAST-ADL/AUTOSAR

Continental Automotive / Philippe Cuenot / 2012.09.25

ITEA 2 ~ 10039

Qualitative Safety Analysis (mix of inductive and deductive methods)

Step 1: Elementary block failure mode analysis (Dysfunctional behavior)

Step 2: Tag of each block safety contribution (function, diagnosis, mechanism…)

Step 3: Generation of propagation for Qualitative analysis (FTA / ETA /…)

Merged FTA / ETA/…Sys

tem

dec

om

po

siti

on

FMEA

FMEDA

Hazardanalysis

Safety Goal

GeneratedFTA / ETA /..

GeneratedFTA / ..

GeneratedFTA / …

FE

GeneratedFTA / …


ITEA 2 ~ 10039

Package

Allo

cation

Power SupplyMonitoring

μP Driver

μP

FPGA1C1

ASIC1

Hardware BlockMatching Requirement structural organization

Includes safety mechanismDescribing Function and Interface

Hardw

areS

afety Req.

Electronics HW Architecture (Function Blocks)

Electronics HW Schematic (Components)

Top Level Hardware Safety Requirementfrom safety qualitative analysis

Component X shall not contribute to Hardware Block Failure Mode

Quantitative Safety Analysis Hardware electronic component


EAST-ADL / HDA

AUTOSAR ECU Ress Temp. (IP-XACT match)

Electronic Package AllocationAdditional hardware safety requirement

ASICx shall integrate Safety Mechanism 1FPGAX shall ensure independence between Function 1

and Function 2

Electronic DesignComponent Super Set (ASIC1 + C1+ …)

Next step for qualitative analysis

ITEA 2 ~ 10039

Electronics HW architecture (Blocks)

Failure Mode Identification

Quantification based on Function Block

Metrics VerificationTarget versus Calculated FIT from HW component

Architecture block

Function Failure Mode

FIT(Target)

FIT(Calculus

)SG

SPF MPF

Viol. SG1 SM

DC HW&S

W

Viol. SG1 with

Comb.SM

DC HW&SW

Power supply

3.3V FM11: Complete lost of power 0.0002 λFM11

Safety

Goal 1

Y Fct3 %

FM12: Transient power 0.0001 λFM12 N

FM13: Power up impossible 0.003 λFM13 Y

FM14: Power down impossible 0.001 λFM14

FM15: Loss of power performance

X λFM15

Reset FM21 : No reset activation Y λFM21

FM22 : misplaced reset Z λFM22

FM23: Reset always active T λFM23

FM24: Non respect of reset timing

u λFM24

…etcRF+SPF rate

(FIT)

MPF +SF rate (FIT)

Allocation

(from electronic component and project) Calculation

Component FIT allocation for HW component Super Set

(from generic design)

PS: Same concept of allocation/calculation can be applied to DC


Quantitative Safety Analysis FIT allocation to hardware component

ITEA 2 ~ 10039

Electronic Components Super Sets Failure Mode AnalysisQuantitative contribution to Top level hardware safety requirement (as failure mode FMxx)

HW Block failure Mode Top level hardware safety

requirementHW component sub-set relation from Reliability

calculus

λFM11 AND(C1, ASICB11) (λC1oc * λC1D) + (λAPxol * λAPxcg * λAPxdog) +

λAB11

λFM12 OR (C1, ASICB12) λC1oc * λAB12

λFM13 Cf. Complex Truth Table (R1, C1, C2, ASICB11, ASICB12…)

…etc

Inductive methods for analysis of electronic component failureMade by specialist as electronic designer and use reliability data base

Use reliability block diagram or failure mode and effect Analysis

Allocation of failure and ratio of component FIT to block failure mode (λFMxx)

Serial (AND): λC1oc * λASIC1

Parallel (OR): λC1o + λASIC1

Complex Truth Table Modeling: Σ((λC1oc*λASIC1)+(λC1ccg*λASIC1)) as simplification of OR and AND combination)

Quantification based on HW electronic Component

Quantitative Safety Analysis Hardware component metrics contribution


FMEA style

Electronic component Failure mode

HW Block failure Mode Top level hardware safety

requirement

C1 - λC1oc λFM11

λFM12

C1 - λC1D λFM11

ASICB12 - λAB12 etc.

Calculation or direct Reliability Block Diagram

ITEA 2 ~ 10039

Conclusion

• Benefit of approach– Hazard: allows (semi-) formal verification for future– Architecture: clear separation of design and implementation– Reduce time for safety analysis (library and generation approach)– Standardized safety element exchange

• SAFE current status – 1st extension of EAST-ADL Meta model

‾ Hardware relevant element : metrics, failure…‾ Hazard and situation using formal semantic

– Formalism for qualitative analysis under revision (FTA / EVA…)

Continental Automotive / Philippe Cuenot / OFFIS / Thomas Peikenkamp / 2012.09.25

Thank you for your attentionWe value your opinion and questions

Model based development for function safety Continental Automotive France Philippe CUENOT OFFIS

Documents

Transcript of Model based development for function safety Continental Automotive France Philippe CUENOT OFFIS