5.4.1 If ASIL decomposition is applied, all the requirements within this clause shall be complied with.
5.4.2 ASIL decomposition shall be performed by considering each initial safety requirement individually.
NOTE Several safety requirements can be allocated to the same independent elements as the result of ASIL
decompositions of different initial safety requirements.
5.4.3 The initial safety requirement shall be decomposed to redundant safety requirements implemented by
sufficiently independent elements.
5.4.4 Each decomposed safety requirement shall comply with the initial safety requirement by itself.
NOTE This requirement provides redundancy by definition.
5.4.5 The requirements on the evaluation of the hardware architectural metrics and the evaluation of safety
goal violations due to random hardware failures shall remain unchanged by ASIL decomposition in
accordance with ISO 26262-5.
ISO 26262-9:2011(E)
. ISO 2011 – All rights reserved 5
5.4.6 If ASIL decomposition is applied at the software level, sufficient independence between the elements
implementing the decomposed requirements shall be checked at the system level and appropriate measures
shall be taken at the software level, or hardware level, or system level to achieve sufficient independence.
5.4.7 If ASIL decomposition of an initial safety requirement results in the allocation of decomposed
requirements to the intended functionality and an associated safety mechanism, then:
a) the associated safety mechanism should be assigned the highest decomposed ASIL;
NOTE In general, the safety mechanisms have a lower complexity and lower size than the intended functionality.
b) a safety requirement shall be allocated to the intended functionality and implemented applying the
corresponding decomposed ASIL.
NOTE If the decomposition scheme ASIL x(x) + QM(x) is chosen, then QM(x) means that the quality management
system can be sufficient to develop element(s) that implement the safety requirement allocated to the intended
functionality. QM(x) also means that the quality management system can support the rationale for the independence
between the intended functionality and the safety mechanism.
5.4.8 If the violation of an initial safety requirement cannot be prevented by switching off the element, then
adequate availability of the sufficiently independent elements implementing the decomposed safety
requirements shall be shown.
5.4.9 When applying ASIL decomposition to a safety requirement, then:
a) ASIL decomposition shall be applied in accordance with 5.4.10;
b) ASIL decomposition may be applied more than once;
c) each decomposed ASIL shall be marked by giving the ASIL of the safety goal in parenthesis.
EXAMPLE If an ASIL D requirement is decomposed into one ASIL C requirement and one ASIL A requirement, then
these are marked as “ASIL C(D)” and “ASIL A(D)”. If the ASIL C(D) requirement is further decomposed into one ASIL B
requirement and one ASIL A requirement, then these are also marked with the ASIL of the safety goal as “ASIL B(D)” and
“ASIL A(D)”.
5.4.10 One of the following decomposition schemes outlined below shall be chosen in accordance with the
ASIL before decomposition (as shown in Figure 2), or a scheme resulting in higher ASILs may be used.
NOTE The step from one level of the selected decomposition scheme to the lower next level defines one
decomposition of the ASIL.
a) An ASIL D requirement shall be decomposed as one of the following:
1) one ASIL C(D) requirement and one ASIL A(D) requirement; or
2) one ASIL B(D) requirement and one ASIL B(D) requirement; or
3) one ASIL D(D) requirement and one QM(D) requirement.
b) An ASIL C requirement shall be decomposed as one of the following:
1) one ASIL B(C) requirement and one ASIL A(C) requirement; or
2) one ASIL C(C) requirement and one QM(C) requirement.
c) An ASIL B requirement shall be decomposed as one of the following:
1) one ASIL A(B) requirement and one ASIL A(B) requirement; or
ISO 26262-9:2011(E)
6 . ISO 2011 – All rights reserved
2) one ASIL B(B) requirement and one QM(B) requirement.
d) An ASIL A shall not be further decomposed, except, if needed, as one ASIL A(A) requirement and one
QM(A) requirement.
图1 ASIL分解原理图
下面以一个例子介绍ASIL 分解的过程。
假设功能F,其输入信号为S1,S2,S3,这三个信号分别测量不同的物理量,是相互独立的,经过ECU内部的逻辑运算后,发送触发信息给执行器Actuator,功能F的架构示意图如图2所示。假设经过危害分析和风险评估后,功能F的ASIL等级为ASIL D,安全目标为避免非预期触发执行器。那么功能F的各个部分继承ASIL等级,即传感器、ECU、执行器都需要按照ASIL D 等级开发,如图3所示。
图2 功能F架构示意图
图3 ASIL等级在功能F架构上的分配图
经过进一步的分析发现,当速度V>阈值时,非预期触发执行器,才能造成危险。那么我们在功能F的架构中,加入一个安全机制,安全机制的功能是当检测到速度V大于阈值时,不允许触发执行器。那么功能F的架构变为如图4所示。
图4 加入安全机制后的架构
功能F和安全机制是冗余安全需求,同时来满足安全目标,因此可以将功能F原来的ASIL等级在这两个需求上进行分解,分解为ASIL D(D)和QM(D),分解后的ASIL等级如图5所示。
图5 ASIL分解后架构示意图
原来的传感器S1、S2、S3按照QM开发,速度传感器按照ASIL D开发,ECU里面的软件,原来的逻辑按QM开发,安全机制的逻辑按照ASIL D开发,不同ASIL等级的软件存在于一个ECU内,为了保证软件之间的独立性,保证两者之间不相互影响,需要考虑内存保护机制,合适的调度属性来保证存储空间和CPU时间的独立性,这样会增加软件开发的很多成本。那么我们进一步采取硬件上的分离来保证独立性,我们选择一个成本很低的简单的芯片(比如PGA, Programmable Gate Array)来运行安全机制中的软件(如图6所示)。需要注意的是PGA要使用独立的电源和时钟。
图6 改进的ASIL分解后架构示意图
参考:http://www.hirain.com/sts/142/445
https://wenku.baidu.com/view/8bb72c3811661ed9ad51f01dc281e53a580251f6.html?rec_flag=default&sxts=1531116988266&sxts=1531117206760&pn=50