5.4 Requirements and recommendations
要求和推进
5.4.1 If ASIL decomposition is applied, all the requirements within this clause shall be complied with.
5.4.1 If ASIL decomposition is applied, all the requirements within this clause shall be complied with.
如果应用ASIL分解,在这一条款中所用的要求应当被遵守
5.4.2 ASIL decomposition shall be performed by considering each initial safety requirement individually.
5.4.2 ASIL decomposition shall be performed by considering each initial safety requirement individually.
ASIL分解在执行过程中应当单独考虑每一个初始安全要求
NOTE Several safety requirements can be allocated to the same independent elements as the result of ASIL
decompositions of different initial safety requirements.
NOTE Several safety requirements can be allocated to the same independent elements as the result of ASIL
decompositions of different initial safety requirements.
一些安全要求能被分配给相同的独立要素,这会造成不同的初始安全要求的ASIL分解
5.4.3 The initial safety requirement shall be decomposed to redundant safety requirements implemented by
sufficiently independent elements.
5.4.3 The initial safety requirement shall be decomposed to redundant safety requirements implemented by
sufficiently independent elements.
初始安全要求应当被分解给足够独立的要素的冗余安全要求
5.4.4 Each decomposed safety requirement shall comply with the initial safety requirement by itself.
5.4.4 Each decomposed safety requirement shall comply with the initial safety requirement by itself.
每一个分解的安全要求应当遵守它自己的初始安全要求
NOTE This requirement provides redundancy by definition.
NOTE This requirement provides redundancy by definition.
这些要求由定义提供冗余
5.4.5 The requirements on the evaluation of the hardware architectural metrics and the evaluation of safety
goal violations due to random hardware failures shall remain unchanged by ASIL decomposition in
accordance with ISO 26262-5.
5.4.5 The requirements on the evaluation of the hardware architectural metrics and the evaluation of safety
goal violations due to random hardware failures shall remain unchanged by ASIL decomposition in
accordance with ISO 26262-5.
在由于随机硬件失效评价硬件结构矩阵和违反安全目标的要求在ASIL分解过程
ISO 26262-9:2011(E)
. ISO 2011 – All rights reserved 5
ISO 26262-9:2011(E)
. ISO 2011 – All rights reserved 5
5.4.6 If ASIL decomposition is applied at the software level, sufficient independence between the elements
implementing the decomposed requirements shall be checked at the system level and appropriate measures
shall be taken at the software level, or hardware level, or system level to achieve sufficient independence.
如果ASIL分解应用在软件层级,在要素之间应用的要求分解的充分独立性应当在系统级进行检查,在软件级、硬件级、系统级要采用适当的措施以实现充分的独立性
5.4.7 If ASIL decomposition of an initial safety requirement results in the allocation of decomposed
requirements to the intended functionality and an associated safety mechanism, then:
5.4.7 If ASIL decomposition of an initial safety requirement results in the allocation of decomposed
requirements to the intended functionality and an associated safety mechanism, then:
如果一个厨师的安全要求的ASIL等级分解导致了计划的功能和先关的安全机制的要求分配,那么
a) the associated safety mechanism should be assigned the highest decomposed ASIL;
a) the associated safety mechanism should be assigned the highest decomposed ASIL;
相关的安全机制应当被分配到更高一级的ASIL分解中
NOTE In general, the safety mechanisms have a lower complexity and lower size than the intended functionality.
NOTE In general, the safety mechanisms have a lower complexity and lower size than the intended functionality.
一般这个安全机制有更低的复杂性和更小体积与计划的功能来比的话
b) a safety requirement shall be allocated to the intended functionality and implemented applying the
corresponding decomposed ASIL.
b) a safety requirement shall be allocated to the intended functionality and implemented applying the
corresponding decomposed ASIL.
一个安全要求应当被分配到一个计划的功能,通过应用对应的ASIL分级进行应用。
NOTE If the decomposition scheme ASIL x(x) + QM(x) is chosen, then QM(x) means that the quality management
system can be sufficient to develop element(s) that implement the safety requirement allocated to the intended
functionality. QM(x) also means that the quality management system can support the rationale for the independence
between the intended functionality and the safety mechanism.
NOTE If the decomposition scheme ASIL x(x) + QM(x) is chosen, then QM(x) means that the quality management
system can be sufficient to develop element(s) that implement the safety requirement allocated to the intended
functionality. QM(x) also means that the quality management system can support the rationale for the independence
between the intended functionality and the safety mechanism.
如果选择ASIL x(x) + QM(x) 的分配机制,那么QM(x) 意味着质量管理系统是充分的对于开发组件,这些组件实现了分配给这些计划功能的安全要求。QM(x) 同事意味着质量管理体系能支持在假话功能和系统机制之间独立的基本原理
5.4.8 If the violation of an initial safety requirement cannot be prevented by switching off the element, then
adequate availability of the sufficiently independent elements implementing the decomposed safety
requirements shall be shown.
5.4.8 If the violation of an initial safety requirement cannot be prevented by switching off the element, then
adequate availability of the sufficiently independent elements implementing the decomposed safety
requirements shall be shown.
如果一个违反初始的安全规范不能通过关掉这个组件来阻止的话,那么必须有足够的独立组件应用分解的安全规范应当体现出来
5.4.9 When applying ASIL decomposition to a safety requirement, then:
a) ASIL decomposition shall be applied in accordance with 5.4.10;
b) ASIL decomposition may be applied more than once;
c) each decomposed ASIL shall be marked by giving the ASIL of the safety goal in parenthesis.
EXAMPLE If an ASIL D requirement is decomposed into one ASIL C requirement and one ASIL A requirement, then
these are marked as “ASIL C(D)” and “ASIL A(D)”. If the ASIL C(D) requirement is further decomposed into one ASIL B
requirement and one ASIL A requirement, then these are also marked with the ASIL of the safety goal as “ASIL B(D)” and
“ASIL A(D)”.
5.4.10 One of the following decomposition schemes outlined below shall be chosen in accordance with the
ASIL before decomposition (as shown in Figure 2), or a scheme resulting in higher ASILs may be used.
NOTE The step from one level of the selected decomposition scheme to the lower next level defines one
decomposition of the ASIL.
a) An ASIL D requirement shall be decomposed as one of the following:
1) one ASIL C(D) requirement and one ASIL A(D) requirement; or
2) one ASIL B(D) requirement and one ASIL B(D) requirement; or
3) one ASIL D(D) requirement and one QM(D) requirement.
b) An ASIL C requirement shall be decomposed as one of the following:
1) one ASIL B(C) requirement and one ASIL A(C) requirement; or
2) one ASIL C(C) requirement and one QM(C) requirement.
c) An ASIL B requirement shall be decomposed as one of the following:
1) one ASIL A(B) requirement and one ASIL A(B) requirement; or
ISO 26262-9:2011(E)
6 . ISO 2011 – All rights reserved
2) one ASIL B(B) requirement and one QM(B) requirement.
d) An ASIL A shall not be further decomposed, except, if needed, as one ASIL A(A) requirement and one
QM(A) requirement.
图1 ASIL分解原理图
下面以一个例子介绍ASIL 分解的过程。
假设功能F,其输入信号为S1,S2,S3,这三个信号分别测量不同的物理量,是相互独立的,经过ECU内部的逻辑运算后,发送触发信息给执行器Actuator,功能F的架构示意图如图2所示。假设经过危害分析和风险评估后,功能F的ASIL等级为ASIL D,安全目标为避免非预期触发执行器。那么功能F的各个部分继承ASIL等级,即传感器、ECU、执行器都需要按照ASIL D 等级开发,如图3所示。
.png)
图2 功能F架构示意图
.png)
图3 ASIL等级在功能F架构上的分配图
经过进一步的分析发现,当速度V>阈值时,非预期触发执行器,才能造成危险。那么我们在功能F的架构中,加入一个安全机制,安全机制的功能是当检测到速度V大于阈值时,不允许触发执行器。那么功能F的架构变为如图4所示。
.png)
图4 加入安全机制后的架构
功能F和安全机制是冗余安全需求,同时来满足安全目标,因此可以将功能F原来的ASIL等级在这两个需求上进行分解,分解为ASIL D(D)和QM(D),分解后的ASIL等级如图5所示。
.png)
图5 ASIL分解后架构示意图
原来的传感器S1、S2、S3按照QM开发,速度传感器按照ASIL D开发,ECU里面的软件,原来的逻辑按QM开发,安全机制的逻辑按照ASIL D开发,不同ASIL等级的软件存在于一个ECU内,为了保证软件之间的独立性,保证两者之间不相互影响,需要考虑内存保护机制,合适的调度属性来保证存储空间和CPU时间的独立性,这样会增加软件开发的很多成本。那么我们进一步采取硬件上的分离来保证独立性,我们选择一个成本很低的简单的芯片(比如PGA, Programmable Gate Array)来运行安全机制中的软件(如图6所示)。需要注意的是PGA要使用独立的电源和时钟。
.png)
图6 改进的ASIL分解后架构示意图
经过分解后,按照ASIL D开发的功能逻辑简单,使得开发变得简单,整体成本也得以降低。
4. 结论
本文以EPB为例介绍了ISO 26262标准中安全目标及其ASIL等级确定的方法,安全目标的ASIL等级被开发阶段安全需求继承,如果安全需求的ASIL等级高,那么需要进行ASIL分解以降低ASIL等级,本文以实例介绍了ASIL分解的原则和步骤。ASIL分解并没有在ISO 26262中被强制要求执行,但是我们可以通过对系统进行分析、进而对系统架构进行调整,实现ASIL分解,可以解决因ASIL等级高而带来的开发成本、开发周期和技术要求等方面的问题。
参考:http://www.hirain.com/sts/142/445
https://wenku.baidu.com/view/8bb72c3811661ed9ad51f01dc281e53a580251f6.html?rec_flag=default&sxts=1531116988266&sxts=1531117206760&pn=50