SW-Arch-for-Safety基于安全的软件架构设计

EfficientSoftwareArchitecturesEfficientSoftwareArchitecturesforSafetyECUsVectorHirainJointCongressVectorHirainJointCongressDr.GüntherHeling2011-10-19©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.V2.532011-10-18AutomotiveTrends1.ElectrificationÆZeroEmission(locally)ÆZeroEmission(locally)2.DriverAssistanceÆAtDiiÆAutonomousDriving3.ConnectivityÆAlwaysOn©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:2/29ElectrificationTorqueElectricVehicleHybridStart-StopTemperatureCitHihHCityChargingHighwayChargingHomeCharging©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:3/29DriverAssistanceDegreeofassistanceAutonomousemergencybrakinggygAdaptivecruisecontrolcontrolCruisecontrolUsecaseofassistanceCityHighwayParking©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:4/29ECUswithsafetygoalsarenolongeranexception12234©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:5/29EvolutionofSafetyStandardsAiSddGiSddIEC61508MILSTD882ISO26262AutomotiveStandardsGenericStandardsMISRAAeroStandardsIEC62061SAEARP4754IndustryStandardsSAEARP4761RTCADO-178BIEC61511IEC61513IEC/EN…RTCADO-254IEC/EN…XToavoidliabilityrisksÎApplystateoftheartdevelopmentmethods!ÎApplyISO26262!©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:6/29ISO26262–FromHazardAnalysistoSafetyGoals1Identifydrivingsituations&vehiclestates1.Identifydrivingsituations&vehiclestatesXe.g.“drivingonthehighwayvehiclefullyloaded”2.IdentifypotentialhazardsXe.g.“suddenbrakeimpulseononewheel”3.ClassifyhazardsXeg“vehiclegetsofftheroad”Xe.g.vehiclegetsofftheroad4.Determinesafetyintegritylevel(ASIL)ygy()Xseenextslide5.Definehighlevelsafetygoals…inordertominimizetherisktoanacceptablelowlevel©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:7/29ASIL–AutomotiveSafetyIntegrityLevelDeterminationofASILbasedonHazardandRiskAnalysisSeverityS1–lightinjuriesS2–severeinjuriesS3–fatalinjuriesjExposureE1–verylowprobabilityE2–lowprobabilityE3–mediumprobabilityE4–highprobabilityControllabilityC1–simplycontrollableC2–normallycontrollableC3difficultorimpossibletocontrolS1S2S3C3–difficultorimpossibletocontrolE1E2E3E4E1E2E3E4E1E2E3E4C1-------A--ABC2---A--AB-ABCC2AABABCC3--AB-ABCABCDASIL–determinesdevelopmentmethodstobeapplied©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:8/29pppECUswithsafetygoalsarenolongeranexception12ISO26262defineshowtodevelop2ISO26262defineshowtodevelopsafetyrelatedautomotivesystems34©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:9/29IntroductionSafetySoftwareSfGlFunctionalSafetyRequirementsforECUSWSafetyGoalsSafetySfSoftwareSafetySoftwareneedstohaveasufficientlylowrateofsystematicfildblikfailures-ensuredbymeasureslikeXprocess&developmentmethodsandXadditionalsafetymechanisms(redundancy/plausibility-checks)incaseofcomplexalgorithmsasdefinedinISO26262Part6©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:10/29FreedomfromInterferenceThreat:PropagationofFailuresSfGlFunctionalSafetyRequirementsforECUSWSafetyGoals1.MemorySafetySf2.CPUTime3.CommunicationHWrandomfaultssyst.faultsSoftwareHWSWfsyst.faultsHW©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:11/29FreedomfromInterferenceProtectionOptionsSafetySoftwareprotectsitselfagainstattacksDefenseSafetySfrandomfaultssyst.faultsHWSoftwarefHWSWsyst.faultsHW©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:12/29FreedomfromInterferenceProtectionOptionsSafetySoftwareprotectsitselfagainstattacksfromothersDefenseSafetySfrandomfaultssyst.faultsHWSoftwarefHWSWsyst.faultsTrustedElements(HWorSW)HW()aredevelopedwiththerequiredintegrityinordernottocorrupt©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:13/29FreedomfromInterferenceProtectionOptionsSafetySoftwareprotectsitselfagainstattacksfromothersAdditionalmechanismsblockpossibleattacksBarriersDefenseSafetySfblockpossibleattacksrandomfaultssyst.faultsHWSoftwarefHWSWsyst.faultsTrustedElements(HWorSW)HW()aredevelopedwiththerequiredintegrityinordernottocorrupt©2011.VectorInformatikGmbH.Allrightsreserved.AnydistributionorcopyingissubjecttopriorwrittenapprovalbyVector.Slide:14/29FreedomfromInterferenceProtectionOptionsThreatsPttiMCPUTiCitiProtectionMemoryCPUTimeCommunicationDefenseYESegredundancyNONOe.g.redundancyTrustedSWYESe.g.pointerchecksYESe.g.codereviewYESe.g.redundancyBarriersYES