1、Dedicated Modeling Support for the Automotive Functional Safety Standard Fulvio Tagliab1, Sandra Torchiaro1, Rolf Johansson 2, Henrik Lnn 3, Martin Walker 4, Yiannis Papadopoulos 4, Anders Sandberg 5, DeJiu Chen 6 1 Centro Ricerche Fiat, Strada Torino, 50-10043 Orbassano (TO), Italia sandra.torchiar
2、o, fulvio.tagliabocrf.it 2 Mentor Graphics Corp., 41755 Gothenburg, Sweden rolf_johansson 3 Volvo Technology Corp., 40508 Gothenburg, Sweden henrik.lonn, 4 University of Hull, Hull HU6 7RX, UK Martin.Walker, Y.I.Papadopouloshull.ac.uk 5 Mecel AB, SE-400 20 Gothenburg, Sweden anders.sandbergmecel.se
3、6 Royal Institute of Technology, 10044 Stockholm, Sweden DeJiu.Chenmd.kth.se Abstract. The ISO/DIS 26262 standard on functional safety for road vehicles has a wide implication on the need for information exchange among partners in the automotive domain. As most development today is distributed among
4、 several companies and departments, it is important that all information exchange is precise enough to enable the OEM to take full responsibility of the entire functional safety. Still, there is also a need to protect Intellectual Property, because giving away detailed design information may jeopard
5、ize the commercial advantage for a company. The solution to this dilemma is a dedicated language for exchanging exactly the needed information in an unambiguous way. In ISO/DIS 26262 there is a standardized reference life cycle in which information should be generated and communicated in each phase.
6、 In this paper we show how dedicated language support can facilitate this in the distributed automotive industry structure of today. All phases are covered, but this paper has a special focus on the needs for the concept phase. The dedicated language support is a part of the EAST-ADL2 language. EAST
7、-ADL2 is an AUTOSAR compliant architectural language covering the more abstract views of an automotive E/E system. It is an extendable modular language giving the possibility to add dedicated packages for special purposes. This paper describes the module of EAST-ADL2 dedicated for ISO/DIS 26262 supp
8、ort Keywords: ASIL, EAST-ADL2, Functional Safety, Functional Safety Concept, ISO/DIS 26262, Safety goal, Safety Life-cycle. 2 Fulvio Tagliab1,Sandra Torchiaro1,Rolf Johansson 2,Henrik Lnn 3,Martin Walker 4, Yiannis Papadopoulos 4, Anders Sandberg 5, DeJiu Chen 6 1 Introduction The automotive industr
9、y shares the view that in the next 10 years 90% of its expected innovations will be based on Electrical Electronic (E/E) systems with a huge emphasis on the Safety Systems. This also because the European Commission has the target to reduce by 50 % (vs. 2001) the dead rate due to road accidents befor
10、e 2010 and by 75% before 2020. This important goal will be supported by new passive, preventive and active safety systems to decrease the probability that an accident occurs and to mitigate the consequences on vehicle occupants and other road users. New functionalities for active safety are starting
11、 to be available on the market to assist the driver in the task of controlling the vehicle to guarantee the Maximum Vehicle Stability and the Automatic Recovery in Emergency Manoeuvres. Driving assistance functions are based on E/E systems and are built by integrating electronic units (and even soft
12、ware components) from different suppliers. These functionalities are potentially safety-critical, because in case of malfunctioning, they could have an impact on the system behaviour and, consequently, on the vehicle controllability. These hazardous situations could cause severe injury to the involv
13、ed people. The increasing number of safety critical systems installed in vehicles, coupling among different sub-systems and the increased complexity of the architecture make it necessary to define an appropriate methodology for addressing all aspects concerning the effects of potential faults. In ot
14、her words it is necessary to define a set of methods to allow the application and management of the functional safety. The methodology has to be unified, internationally recognized and peculiar for the automotive field. The solution adopted by the international community has been to develop and to a
15、pply the new standard ISO/DIS 26262 “Road vehicles Functional safety”. ISO/DIS 26262 represents the state of the art regarding the safety processes with the related methods and the safety requirements for the development, production, maintenance and decommissioning of E/E systems installed in series
16、 production passenger cars (currently with a max gross weight up to 3,5 t). This standard has a wide implication on the information exchange among OEMs and suppliers in the automotive domain. As most development today is distributed among several companies and departments, it is important that all i
17、nformation exchange is precise enough to enable the OEM to take full responsibility of the entire functional safety process. The solution we propose is to use a semi-formal approach for exchanging the information specified by the standard in an unambiguous way. An architecture description language f
18、or model-based development of automotive embedded systems associated to a “safety analysis based” methodology can cover these needs. In this field EAST-ADL2 (www.atesst.org) provides a well-defined information structure for specifying and managing various engineering concerns and system aspects acro
19、ss development stages. One specific objective of EAST-ADL2 is to provide a native, language-level support for the ISO 26262 safety process and safety concepts, as well as their integration with other aspects of system development. In this paper we will provide an overview of the ISO 26262 standard a
20、nd then explain how the EAST-ADL can support development according to the standard in each safety life cycle phase. Dedicated Modeling Support for the Automotive Functional Safety Standard 3 2 ISO DIS 26262 Overview The ISO 26262 is an International Standard for functional safety, intended to be app
21、lied for passenger cars. It is the adaptation of IEC 61508 to comply with the automotive specific application related to Electric / Electronic systems within passenger cars. The current status is Draft International Standard (DIS), and the forecasted release is March 2011. In a later stage (2013), i
22、t is planned to evaluate the standard extension to the heavy road vehicles (e.g. trucks, busses). The ISO/DIS 26262 “Road vehicles Functional safety” includes guidance to avoid risks, caused by “systematic failures” and “E/E random hardware failures”, by providing feasible requirements and processes
23、.1 Central in this International Standard are the concepts of risk and safety goals. The risk is a function of frequency (or likelihood) of the hazardous event and the related degree of injury (severity). Since the approach of the new standard to the risk consists in considering that the zero risk c
24、an never be reached, the objective is to reduce the risk to an ALARP level (As Low As Reasonably Practicable level). Afterward, the risk is reduced to a tolerable level by applying safety concepts to reach the safety goals and the safety constraints depending on the risk. The ISO/DIS 26262 requires
25、to apply the “functional safety approach”, starting from the preliminary vehicle development phases and continuing along the whole product life-cycle. This approach will allow to design a safe automotive system. Furthermore it provides an automotive specific risk-based approach for determining risk
26、classes named ASILs (Automotive Safety Integrity Levels). The new standard uses the ASILs for specifying the items necessary safety requirements for achieving an acceptable residual risk, and provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level o
27、f safety being achieved 1. ISO 26262 consists of the following parts: Part 1- Vocabulary: specifies the terms, definitions and abbreviated terms for application in all parts of ISO 26262. Part 2- Management of functional safety: specifies the requirements on functional safety management for automoti
28、ve applications. Part 3- Concept phase: specifies the risk assessment procedure and the requirements to be applied during the concept phase to define a safe E/E architecture archetype. Part 4- Product development- system level: specifies the requirements to be applied during the product development
29、at the system level. Part 5- Product development- hardware level: specifies the requirements to be applied during the product development at the hardware level. Part 6- Product development- software level: specifies the requirements to be applied during the product development at the software level.
30、 Part 7- Production and operation: specifies the requirements on production, operation, service and decommissioning. 4 Fulvio Tagliab1,Sandra Torchiaro1,Rolf Johansson 2,Henrik Lnn 3,Martin Walker 4, Yiannis Papadopoulos 4, Anders Sandberg 5, DeJiu Chen 6 Part 8- Supporting processes: specifies the
31、requirements for supporting processes, like qualification of software tools, qualification of hardware and software components, and proven in use argument. Part 9- ASIL-oriented and safety-oriented analyses: specifies the requirements to be applied to perform an ASIL-oriented, and the ASIL decomposi
32、tion approach Part 10- Guideline on ISO 26262: is an informative part dedicated only to give an overview on ISO 26262, intended to improve the understanding of the other Parts of ISO 26262 The ISO 26262 safety life-cycle includes the following phases: Concept phase, (Part 3) System level development
33、 specification, (Part 4) Hardware level development, (Part 5) Software level development, (Part 6) System level development integration and validation (Part 4) Fig. 1 ISO26262 Safety life-cycle This paper describes how to perform a safety analysis compliant with the ISO/DIS 26262, by focusing on con
34、cept phase, and how the related information can be represented. 3 Functional Safety in the ISO 26262 Concept Phase The EAST-ADL2 supports several of the safety life-cycle phases defined in ISO 26262. Below, we will explain the modeling concepts relevant for the concept phase. The first step of the s
35、afety design flow consists of identifying and describing the “item” under development. It represents the functions, components, or (sub)systems of particular concern in regards to functional safety. To perform the item safety analysis, it is essential to properly understand the item itself in terms
36、of input(s)/output(s), functionality, interfaces, environmental conditions and, to define the item target function, which is the function description in terms of Dedicated Modeling Support for the Automotive Functional Safety Standard 5 outputs behavior. At the beginning of the safety analysis activ
37、ities, the boundary of the item and the items interfaces with other elements are determined. To evaluate the risk associated with the item under safety analysis, a risk assessment is carried out. A risk assessment considers the functionality of the item and a relevant set of scenarios (operating con
38、ditions & environmental conditions). To identify hazards, the potential sources of harm, it is helpful to define the malfunction(s) related to the item. If the item target function(s) has been correctly identified and described, the malfunction can be always defined in terms of anomalies of function
39、 activation. To asses the risk level, hazardous events, the hazard in concomitance with a particular scenario, is considered. As required by the ISO 26262, for each identified hazardous event, the severity, controllability and exposure values should be ranked, to determine the associated Automotive
40、Safety Integrity Level (level of risk). It is important to remark that the controllability levels assigned to the various situations should be assessed through specific testing on the road, fault injection, etc. The ASIL specifies the items necessary safety requirements for achieving an acceptable r
41、esidual risk. A risk (R) can basically be described as a function F of the frequency (f) of occurrence of a hazardous event, the ability of to avoid the specific harm through opportune reactions of the involved persons (C = Controllability) and the potential severity of the resulting harm or damage
42、(S = severity); the frequency of occurrence f depends only on the probability of the driving scenario taking place in which the hazardous event can occur (E = exposure) 1. During the concept phase a safety goal shall be defined for each hazardous event. This is a fundamental task, since the safety g
43、oal is the top level safety requirement, and it will be the base on which the functional and technical safety requirements are defined. The safety goal leads to item characteristics needed to avert the hazard or to reduce risk associated with the hazard to an acceptable level. Each safety goal is as
44、signed an ASIL value to indicate the required integrity level according to which the goal shall be fulfilled. For every Safety goal a Safe state, if applicable, shall be identified in order to declare a system state to be maintained or to be reached when the failure is detected, so to allow a failur
45、e mitigation action without any violation of the associated safety goal. For each safety goal and safe state (if applicable) that are the results of the risk assessment, at least one safety requirement shall be specified. 4 EAST-ADL2 Support for ISO 26262 EAST-ADL2 provides an ontology and a concret
46、e language for system definition and information management. The purpose of the EAST-ADL2 language is to capture automotive Electrical and Electronic (E/E) Systems with enough detail to allow modeling for documentation, design, analysis, and synthesis. The language contains multiple levels of abstra
47、ction: the VehicleLevel, the AnalysisLevel, the DesignLevel, and the ImplementationLevel. Each abstraction level corresponds to one specific view of the system architecture at a particular development stage. The models at the VehicleLevel provide a top-level view of the E/E system of a vehicle where
48、 the intended electronic features are described and 6 Fulvio Tagliab1,Sandra Torchiaro1,Rolf Johansson 2,Henrik Lnn 3,Martin Walker 4, Yiannis Papadopoulos 4, Anders Sandberg 5, DeJiu Chen 6 elaborated with respect to its required functionality and its product-line organization The realizations of s
49、uch electronic features in terms of logical functions and principal interfaces is given at the AnalysisLevel 3. A further refined view is provided at the DesignLevel where more implementation-oriented aspects are taken into consideration as well as the hardware architecture. System models at the ImplementationLevel specify the actual software and hardware architectures according to AUTOSAR 4. The structural aspect of EAST-ADL2 is annotated with additional information in its extensions for requirements, V&V, dependability and timing. A plant model is also defined. Abstraction of requirements,
