功能安全软件架构与安全分析-汽车电子咖啡厅

ISO26262BasicTrainingDay111AutomotiveFunctionalSafety汽车功能安全TÜVRheinlandIndustrialServices李泽华AllenLiFunctionalSafetyService•培训及人员资质认证•流程及项目技术咨询•功能安全评估及认证•审核员培训•指导流程搭建•指导流程改进•ASPICE认证汽车功能安全3大业务范围•培训•项目支持•产品认证ISO26262BasicTrainingDay13SoftwarearchitecturedesignISO26262BasicTrainingDay14ObjectiveofthisLecture1.Reasonableclassificationoffunctiongroups2.Reasonabledistributionoffunctionblocks3.FigureoutdifferentASILlevelfunctionblocks4.ConsiderISO26262requirementsatsoftwarearchitecturelevel5.WorkoutsafetymechanismatsoftwarearchitecturelevelISO26262BasicTrainingDay15LectureAgenda●SoftwareArchitectureIntroduction●SoftwareArchitecturerequirementsfromISO26262●DataflowanalysisandControlflowanalysis●SafetyCriticalAnalysis(SCA)●ASILDecomposition●CoexistenceofSoftwareComponents●InterferencebetweenSoftwareComponents●DependentFailureAnalysis●SoftwareSafetyAnalysis●MechanismforerrordetectionandhandlingatSoftwarearchitectureLevel●VerificationofthesoftwarearchitecturaldesignISO26262BasicTrainingDay16What’sSoftwarearchitecture?StaticaspectDynamicaspectISO26262BasicTrainingDay177CurrentProblemsinAutomotiveDomainNoSWarchitecture•Nobaseforsoftwaresafetyanalysis•NobaseforsoftwarechangeimpactanalysisIncompleteInterface•WrongASILdecomposition,e.g.ASIL-SWCreceivethesafetyrelatedinputdatafromQM-SWC•WrongfreedomofinterferenceRoughArchitecture•AllSWCareASILx,over-design,overengineering.•Tips:balanceyoureffortsonSWarchitecturephaseandSWunitphaseISO26262BasicTrainingDay18NotationsforSoftwarearchitectureISO26262-8,table1•descriptiontechniquethatdoesnothaveitssyntaxcompletelydefinedFigureUMLclassdiagram•该方法有完整语法定义，但是语义定义不完整MethodsASILAASILBASILCASILD1aInformalnotations++++++1bSemi-formalnotations+++++++ISO26262BasicTrainingDay19PrinciplesforsoftwarearchitecturedesignMethodsASILABCD1aHierarchicalstructureofsoftwarecomponents++++++++1bRestrictedsizeofsoftwarecomponentsa++++++++1cRestrictedsizeofinterfacesa++++1dHighcohesionwithineachsoftwarecomponentb+++++++1eRestrictedcouplingbetweensoftwarecomponentsa,b,c+++++++1fAppropriateschedulingproperties++++++++1gRestricteduseofinterruptsa,d+++++aInmethods1b,1c,1eand1grestrictedmeanstominimizeinbalancewithotherdesignconsiderations.bMethods1dand1ecan,forexample,beachievedbyseparationofconcernswhichreferstotheabilitytoidentify,encapsulate,andmanipulatethosepartsofsoftwarethatarerelevanttoaparticularconcept,goal,task,orpurpose.cMethod1eaddressesthelimitationoftheexternalcouplingofsoftwarecomponents.dAnyinterruptsusedhavetobepriority-based.ISO26262BasicTrainingDay110ASILDecompositionASILDASILC(D)ASILA(D)ASILCASILB(C)ASILA(C)or++ASILDASILB(D)ASILB(D)ASILBASILA(B)ASILA(B)++DecompositionofASILDDecompositionofASILBDecompositionofASILC5.4.115.4.115.4.125.4.115.4.11ASILB(D)alsopossiblePreconditionofASILDecomposition:•Redundant•IndependentISO26262BasicTrainingDay11111WrongDecompositionImplementationForexampletheSWC-2receivesthesafetyrelatedinputsignalsfromtheQMSoftwareUnit.CorruptionoftheinputsignalsbytheQM(D)unitcouldleadtoacommoncausefaultofSWC-1andSCW-2.Possibleimpactonsafety!SignalProcessingSWC-1QM(D)SWC-2ASILD(D)SignalProcessingSWC-1QM(D)SWC-2ASILD(D)ISO26262BasicTrainingDay112CriticalityAnalysis1.Implicitsafetygoalandsafetyrequirement2.Clearsoftwarearchitecture3.Identifythesoftwarecomponentsrelatedtosafetygoal4.ClassifythesoftwarecomponentsrelevancetothesafetypathISO26262BasicTrainingDay11313Ifsafeandnon-safesoftwarehaveaccesstothesameresources,itmustbeguaranteedthatthereisnonegativeimpactonthesafeprogram,dataoroperationsbynon-safesoftware.µCMotivationforinterferencesafetyandnon-safetysoftware„old“-SWTimerInterruptsRAMGlobalVariablesSafetySWStackexternalRAMFreedomfrominterference280ISO26262BasicTrainingDay114DependentFailureAnalysis∙Independenceisthreatenedbycommoncausefailuresandcascadingfailures,whilefreedomfrominterferenceisonlythreatenedbycascadingfailures∙BothsystematicfailuresandrandomhardwarefailureshavethepotentialtobedependentfailuresISO26262BasicTrainingDay115SafetyAnalysisISO26262BasicTrainingDay116SafetyAnalysiscan:1.Identifyorconfirmthesafety-relatedpartsofsoftware2.Supportthespecificationandverifytheefficiencyofthesafetymechanisms3.SupporttheanalysisofInterferenceanddependentfailurebetweensoftwarecomponentsISO26262BasicTrainingDay117ProcessofSWFMEA1.HaveaclearideaofthefunctionofSW2.ClassifytheSWcomponentsaccordingtothefunctionofSW3.Figureoutthefailuremodes,correspondingeffectandcause4.CheckwhetherthecauseiscoveredbycurrenttestactionorsafetymechanismISO26262BasicTrainingDay118MechanismsforerrordetectionatSWarchitecturelevelISO26262BasicTrainingDay119MechanismsforerrorhandlingatSWarchitecturallevelISO26262BasicTrainingDay120VerificationofthesoftwarearchitecturaldesignISO26262BasicTrainingDay12121德国品质，本地服务ThankyouYourChallengeisourValue联系我们，TÜVRheinland就在您身边杨家玥Ms.JoanYANG直线:+862160814698手机:+8613661861123邮箱:joan.yang@tuv.com