Professional Documents
Culture Documents
Electronic Architecture and System Engineering Fo
Electronic Architecture and System Engineering Fo
Electronic Architecture and System Engineering Fo
Editor
Dr David WARD MIRA Ltd (david.ward@mira.co.uk)
Authors
Mr Malte JACOBS Adam Opel AG (Malte.Jacobs@de.opel.com)
Dr Antoni FERR Lear Corporation (AFerre@lear.com)
Dr-Ing Uwe HONEKAMP Vector Informatik GmbH (uwe.honekamp@vector-informatik.de)
Mr Christian SCHEIDLER DaimlerChrysler AG (christian.scheidler@daimlerchrysler.com)
Mr Xi CHEN DaimlerChrysler AG (xi.chen@daimlerchrysler.com)
Mr Alexander BLECKEN DaimlerChrysler AG (alexander.blecken@daimlerchrysler.com)
Mr Eric FITTERER PSA (eric.fitterer@mpsa.com)
Dr Bernhard JOSKO Kuratorium OFFIS eV (Bernhard.Josko@offis.de)
The Consortium:
DaimlerChrysler (D) Bosch (D) Continental Teves (D)
C.R.F (I) DAF Trucks (NL) DECOMSYS (A)
dSPACE (D) ETAS (D) Philips (D)
LEAR (E) MIRA (UK) Motorola (D)
OFFIS (D) Opel (D) PSA (F)
REGIENOV (F) Universitt Duisburg Essen (D) Valeo (F)
Vector (D) Volvo (S) ZF(D)
Revision chart and history log
Authors ................................................................................................. i
Revision chart and history log .............................................................. i
Table of contents.................................................................................. i
Executive summary ............................................................................. 1
1 Objectives and deliverables of WT 0.1.2...................................... 3
1.1 WT 0.1.2 objectives ................................................................. 3
1.2 Details of WT 0.1.2 deliverables .............................................. 3
2 Deliverable contents..................................................................... 4
2.1 Summary of findings ................................................................ 4
2.1.1 State of the art of legislation........................................... 4
2.1.2 State of the art of capability and maturity ....................... 6
2.1.3 State of the art of safety ................................................. 6
2.1.4 State of the art of engineering ........................................ 6
2.1.5 State of the art of hardware and software components.. 6
2.1.6 State of the art of tools ................................................... 6
2.2 Summary of items.................................................................... 6
2.2.1 ECE Regulation 10......................................................... 6
2.2.2 ECE Regulation 13......................................................... 6
2.2.3 ECE Regulation 48......................................................... 6
2.2.4 ECE Regulation 79......................................................... 6
2.2.5 ECE Regulation 97......................................................... 6
2.2.6 ECE Regulation 100....................................................... 6
2.2.7 European statement of principles on HMI ...................... 6
2.2.8 RESPONSE projects ...................................................... 6
2.2.9 Capability Maturity Model Integration ............................. 6
2.2.10 ISO/IEC TR 15504 .............................................. 6
2.2.11 Automotive SPICE .............................................. 6
2.2.12 SPICE for Space................................................. 6
2.2.13 IEC 61508........................................................... 6
2.2.14 MISRA Guidelines .............................................. 6
2.2.15 EN 50126, EN 50128, EN 50129 ........................ 6
2.2.16 DO-178B ............................................................. 6
2.2.17 ARP 4754/4761 .................................................. 6
2.2.18 MIL-STD-882D.................................................... 6
2.2.19 MATISSE project ................................................ 6
2.2.20 SETTA project .................................................... 6
EASIS Deliverable D0.1.2
Executive summary
The objective of this work task was to identify the state-of-the-art in respect to integrated safety
systems, to provide a baseline for developing the EASIS process. The state-of-the-art
examination covered six topics, namely:
Legislation
Capability and maturity
Safety
Engineering
Hardware and software components
Tools
For each of these topics, a list of subjects to examine was generated and the available items were
studied to determine their contribution to the state-of-the-art.
For legislation, the present state-of-the-art is concerned with the Type Approval process that is
aimed at mechanically-based systems. Some of the legislation is being modified to address
electronic systems: the braking legislation now contains an approval process for software-based
systems that is likely to be extended to other domains, and the steering legislation is being
modified to permit the approval of advanced systems. A number of activities such as the
RESPONSE projects have identified the need for legislation to be further updated to permit the
approval of Integrated Safety Systems. In particular, there is no procedure at present that is
suitable for approving the testing of such systems at the prototype stage. Legislation also needs
updating to address the liability and responsibility issues associated with fully-automatic systems in
which the driver is unable to over-ride the reaction of the system.
For capability and maturity, the present state-of-the-art is concerned with measuring attributes of
the development process that are not specifically concerned with safety, although safety
engineering activities are often part of the activities that can be measured using the capability
maturity assessment techniques. Safety attributes can be explicitly included, as has been done in
the space sector. However, the capability maturity assessment techniques do not yet include
product assessment, which is also needed for Integrated Safety Systems.
For safety, the concepts and principles of safety-related systems engineering are well known,
particularly in the aerospace industry. For automotive systems, the most relevant state-of-the-art is
found in the automotive MISRA Guidelines and in the generic standard IEC 61508. Several
research projects have looked at new techniques that can support the development of dependable
automotive systems; in particular, how techniques used in the aerospace industry can be
transferred into the automotive industry. A German initiative is developing an automotive version
of IEC 61508, recognizing that there are several issues with applying the standard in its present
form directly to automotive systems, including the methods to be used for hazard and risk analysis,
the mapping of the safety lifecycle to automotive product development lifecycles (see also the
engineering topic), and the identification and selection of appropriate lifecycle techniques and
measures. This standard is expected to become an ISO standard in due course.
For engineering, every company (both OEM and supplier) has their own engineering process and
it is difficult to generalize a state-of-the-art. However, generic lifecycles for both vehicles and their
systems have been identified. A gap analysis has been performed on these processes, which has
shown that there are significant needs for the processes to be improved and adapted to meet the
requirements of Integrated Safety Systems in order to achieve future road safety targets. The
most significant gaps were found in engineering method, requirements engineering, safety
requirements engineering, verification and validation, and architectural specification. This gap
analysis is summarized in the table below:
Scale
Less More
For hardware and software components, there are many different architectures in use ranging
from low-end vehicles with few electronic modules through to luxury vehicles with many ECUs and
several networks. There is a high diversity of approaches in all areas, for example in architecture
and ECU protection strategies, and the approaches are often specific to the manufacturer and the
application. Some standardization is evident: OSEK is becoming the standard for operating-
system software, and standards are beginning to emerge for different safety aspects, notably in the
powertrain and chassis domains. However, the transition from current concepts (low-end and
luxury) to a new architecture concept (integrated safety) is not straightforward.
For tools, many tools to support all stages of the development process are available and are in
widespread use in the automotive industry. These range from full commercial tools right through to
proprietary in house tools developed by a manufacturer for a specific application. However, few
of the commercial tools have a specific qualification for use in safety-related systems (e.g.
certification against IEC 61508). There is greater availability of qualified tools in the aerospace
industry, and some of these are beginning to be adapted for automotive use. There are also some
automotive-specific tools for safety emerging, such as MISRA C code checkers.
The objective of this work task is to produce the state-of-the-art section of Deliverable D0.1.
Deliverable D0.1 will consist of the state-of-the-art information and the glossary produced by Work
Task 0.1.1.
The main focus of the recommendations in this Work Task will be to provide input for subsequent
tasks in WP0.2, especially:
Common objectives and requirements
The EASIS process
According to the proposal for the work task structure [1] the deliverables of WT 0.1.2 consist of the
following parts:
Summary of findings: a summary of the state of the art in each topic
studied
Summary of items: a summary of the source documents and
projects examined
2 Deliverable contents
This work task was divided into the examination of the state-of-the art in six topics, namely:
Legislation
Capability and maturity
Safety
Engineering
Hardware and software components
Tools
For each of these topics, a list of subjects to examine was generated and the available items were
studied to determine their contribution to the state-of-the-art. These findings are summarized in
this section. The next section contains a summary of the items themselves (e.g. standards and
projects).
The emphasis on the analysis was to examine items related to automotive systems and safety.
Where material from other sectors that can be useful in improving automotive best practice has
been identified this is included, but with a lesser emphasis.
The state-of-the-art in this topic was investigated using the domains suggested in the EAST-EEA
Glossary [2], which lists five traditional domains for automotive electronics:
Chassis (ABS, suspension, etc.)
Powertrain (engine, gearbox, etc.)
Body functions (lighting, seats, windows, door locks, )
Telematics (information exchange between the vehicle and the
outside world)
Human-machine interface (HMI) information exchange between
vehicle systems and vehicle occupants.
Relevant legislative requirements for each of these domains that are concerned with the safety of
electronic systems will be identified.
There are two categories of legislation affecting European vehicles:
European Directives. Some Directives implement ECE Regulations
(see below), whilst other Directives are more general. Directive
70/156/EEC as amended by Directive 92/53/EEC sets the framework
for automotive Type Approval and specifies the items that must be
subject to approval according to specific technical directives. This
system provides for the approval of whole vehicles, vehicle systems,
and separate components.
United Nations Economic Commission for Europe (ECE)
Regulations, which address specific technical aspects of vehicles.
These are applied to vehicle systems and separate components.
Where certain technical areas of the vehicle are not covered by specific legislation, the European
Directives 2001/95/EC on Product Safety and 85/374/EEC on Product Liability may apply. These
Directives require that manufacturers of products comply with best practice and state-of-the-art of
scientific knowledge at the point of sale of a product. These Directives are particularly relevant for
programmable electronic safety-related systems, as with the exception of Regulation 13 noted
below there is at the present time no specific vehicle legislation relating to such systems. At the
time of preparing this report, there is a proposal to the UN ECE to extend the concepts of
Regulation 13 Annex 18 to all complex electronic systems.
In the following domain descriptions, the ECE Regulations are quoted. Cross-references to the
appropriate European Directives are given in the individual item summaries (2.2.1 to 2.2.6).
2.1.1.1 Chassis
The following ECE Regulations affect electronic systems in the chassis domain:
ECE Regulation 10 (electromagnetic compatibility) [3] requires a level of electromagnetic immunity
performance from systems that can affect the drivers direct control of the vehicle.
ECE Regulation 13 (braking) [4] contains Annex 18 Complex electronic systems. Complex in
this context refers to systems where there is a hierarchy of control, such that lower level functions
can be over-ridden by higher level functions. Annex 18 includes a requirement for the
manufacturer to demonstrate their safety concept, which means the design decision made for the
system to fail safe or be fault tolerant and an overview of the means by which this is achieved.
ECE Regulation 79 (steering) [6]. At the present time this Regulation requires that the primary
steering systems does not rely on steering commands being transmitted by purely electrical means
(or other non-mechanical means). A new version of this Regulation is under development in which
the need for a mechanical link is removed, thus providing scope for the approval of a broad range
of steering systems from traditional mechanical through to steer-by-wire. In addition there will be a
new Annex 6 of the Regulation on Complex electronic systems similar to Regulation 13.
2.1.1.2 Powertrain
The following ECE Regulations affect electronic systems in the powertrain domain:
ECE Regulation 10 (electromagnetic compatibility) [3] requires a level of electromagnetic immunity
performance from systems that can affect the drivers direct control of the vehicle.
ECE Regulation 97 (alarm systems) [7] contains a requirement that an alarm system shall not
affect vehicle operation or its safe performance. This may be interpreted as applying to
immobilizers that operate on the powertrain.
ECE Regulation 100 (battery electric vehicles) [8] contains functional safety requirements for
battery electric vehicles, although these are more concerned with the types of safety functions that
are required (e.g. warnings and interlocks) rather than how they are implemented.
The following ECE Regulations affect electronic systems in the chassis domain:
ECE Regulation 10 (electromagnetic compatibility) [3] requires a level of electromagnetic immunity
performance from systems that can affect the drivers direct control of the vehicle.
ECE Regulation 48 (lighting and light signalling) [5] contains requirements on the operation of
lighting, tell-tale (ie. warning) devices, interconnection of lighting and automatic operation of
exterior lights.
ECE Regulation 97 (alarm systems) [7] contains a requirement that an alarm system shall not
affect vehicle operation or its safe performance.
2.1.1.4 Telematics
The following ECE Regulations affect electronic systems in the telematics domain:
ECE Regulation 10 (electromagnetic compatibility) [3] requires a level of electromagnetic immunity
performance from systems that can affect the drivers direct control of the vehicle.
The updates to vehicle EMC legislation will require that vehicle systems demonstrate immunity to
the wanted signals from radio transmitting equipment installed in the vehicle.
No specific legislation has yet been identified in this domain, but there is a European statement of
principles on HMI [9]. This is principally concerned with aspects of the presentation of information
to vehicle occupants, so that the driver is not distracted; but also includes requirements on the
system design such that the driver maintains safe control of the vehicle at all times.
The RESPONSE projects (see [10]) have been included under legislation as, while they are
European collaborative research projects, they have been identifying the need for legislation to
adapt to the development and deployment of advanced driver assistance systems (ADAS).
The projects have investigated the requirements for future legislation for ADAS. In particular
RESPONSE 1 identified the need for a Code of Practice to address issues such as testing of
prototype vehicles with ADAS, and the need for issues of liability with automated systems to be
resolved. RESPONSE 2 identified the need for processes for risk analysis and risk-benefit
analysis for ADAS. RESPONSE 3, part of the PReVENT programme, will:
Develop a risk assessment procedure for next-generation sensors
within ADAS
Provide input on specific ADAS issues to the automotive version of
IEC 61508 being developed by FAKRA
Develop a code of practice for development and testing of ADAS.
Future legislation will need to consider:
Whether any specific legislative requirements are required for
prototype testing of ADAS;
The Type Approval (or other) regime for the approval of ADAS;
Whether any specific driver training and licensing is required to
operate ADAS;
Liability issues if an ADAS system that has full authority over a
vehicle function fails and an accident occurs, who is responsible?
Furthermore, research in the UK [11] from a roadside equipment perspective, that in the UK is also
subject to a Type Approval regime, has shown that an updated approach to operate in parallel to
Type Approval is required for advanced traffic control systems, including those that link to vehicle
functions. The project proposed such an approach that is now being applied to some infrastructure
projects in the UK.
All capability models are based on graded levels of maturity. In CMMI, there are 5 or 6 levels of
maturity depending on whether a staged or continuous process reference model is used. In ISO
15504 and its derivatives, 6 levels of maturity are used. These levels are summarized in the
following table:
The use of discrete levels invariably invites a comparison with the use of safety integrity levels in
IEC 61508 and the MISRA Guidelines. Various researchers have tried to develop more formal
mappings between these levels for example [19]. In general it can be argued that a process that
is capable of developing a system or software to a certain SIL is likely to have reached a certain
capability level. However the reverse is unlikely to hold; ie. it does not follow that a process that
has attained a certain capability level will be guaranteed to be suitable for developing a system to a
certain SIL. Furthermore, meeting a certain capability level does not necessarily include a
requirement for safety engineering processes to be incorporated. See Figure 1.
May imply
SIL 2 CMMI 3
However it can be noted that the MISRA Guidelines [22] require that any software development is
undertaken within the context of a Quality Management System that complies with the
requirements of ISO 9001 as assessed by ISO 9000-3 (now ISO 90003). It has been
demonstrated by practitioners in the subject that ISO 9000-3 accreditation is equivalent to a
process attaining CMMI Level 3 or ISO TR/15504 Level 3. Therefore a Level 3 process capability
can be seen as a quality baseline for a process for developing safety-related software.
All capability and maturity models use a process reference model of some kind. The process
reference models include process steps that can incorporate safety engineering activities, but in
the basic models as defined by CMMI and ISO 15504 they are not explicitly included. It is
therefore possible in general to map aspects of the process reference models to specific activities
required in the safety-related standards e.g. IEC 61508. However it is again necessary to observe
that while a mature process capable of developing safety-related systems will therefore include
many of the elements of a well-defined process reference model, the reverse does not necessarily
hold.
In CMMI, process steps are broadly classified as:
Process management
Project management
Engineering
Support.
In ISO 15504 and its derivatives, process steps are generally classified as:
CUS (customer-supplier process)
ENG (engineering process)
MAN (management process)
SUP (support process)
ORG (organizational process).
In the proposed Automotive SPICE, CUS processes have been replaced with ACQ (acquisition
process). No specific safety requirements have been added although it is understood to be a
future work item.
In SPICE for Space, process steps have been added to the SUP processes for safety and
dependability (SUP 9) and independent verification and validation (SUP 10). There is a target
profile by software criticality class (A: catastrophic through to E: negligible) for the required
capability level. For Class A (catastrophic) both SUP 9 and SUP 10 must be at capability level 4.
For Class B (critical) both SUP 9 and SUP 10 must be at capability level 3. There is no
requirement for the lower levels.
Traditional development lifecycles for both products and embedded software follow a V model or
waterfall model. There are two approaches to covering safety aspects in a system lifecycle:
Require a separate lifecycle for safety-related function development
Embed the safety activities in the product development lifecycle.
In IEC 61508, the first approach to a safety lifecycle is taken. This standard is based on the
concept of equipment under control and safety functions are added in two contexts:
1. Where a safety-related system is added on to equipment under control to reduce the risk of a
hazardous event by implementing safety functions;
2. Where such safety functions are part of the equipments control system rather than a separate
protection system.
The standard adopts an overall safety lifecycle (see Figure 2 of Part 1) as its technical framework.
This lifecycle is intended as the basis for claiming conformance with the standard. A different
lifecycle can be used, but the objectives and requirements of each clause of the standard must be
met.
The overall lifecycle is concerned with the attainment of risk reduction (q.v.) through three distinct
means:
Electrical, electronic and programmable electronic (E/E/PES) safety-
related systems
Other technology safety-related systems
External risk reduction facilities.
The standard is only concerned with the first means (E/E/PES). Separate safety lifecycles are
given for the E/E/PES themselves (Part 2) and for software (Part 3).
The IEC 61508 lifecycle does not easily align with the traditional automotive engineering
approaches as described in Section 2.1.4.1. In the automotive approach, there are a number of
iterations for both vehicle and system design; in particular software development may follow
multiple V cycles. The final integration and validation is performed before volume production
commences. In the IEC 61508 model, it is assumed that system realization is a single step. The
final integration and validation may well be performed as part of the commissioning of the system
at its physical installation.
In the MISRA Guidelines, the second approach to a safety lifecycle is taken. The Guidelines
require an appropriate lifecycle to be defined for both system and software. A per-system lifecycle
should be defined that is compatible with the project definition and the overall vehicle plan.
The overall vehicle development lifecycle should have phases identified for safety aspects, and a
safety plan is required.
A generic lifecycle is used as an example that is broadly similar to the one in IEC 61508. Note that
this lifecycle includes both hardware and software.
MIL-STD-882D [29] does not explicitly define a safety life cycle. However, it lists a number of
system safety activities that shall be performed throughout the system life cycle. These activities
are:
Documentation of the system safety approach
Identification of hazards
Assessment of mishap risk
Identification of mishap risk mitigation measures
Reduction of mishap risk to an acceptable level
Verification of mishap risk reduction
Review of hazards and acceptance of residual mishap risk by the
appropriate authority
Tracking of hazards, their closures, and residual mishap risk.
In the MATISSE project [30], a process is proposed based on the use of a formal mathematical
method (B). A B development lifecycle is proposed in which certain stages of the traditional V
model are omitted, being replaced by formal proof of the specification and of the design. The
omitted tasks (unit/integration tests and validation tests) would still have to be done on third-party
libraries and on software developed without using the formal method. Global tests still have to be
carried out.
In the SETTA project [31], shortcomings with applying the traditional V model to the development
of time-triggered systems (such as may be used to implement X-by-wire systems) were identified.
The SETTA project used the concept of the 3V model, where separate V models are applied to
development of the functionality, to rapid prototyping, and to development on the final target
hardware. SETTA proposed a process model in which tool support was used to overcome the
issues.
This subject covers the means by which hazards and/or risks are classified into categories. The
actual process of identifying and classifying specific hazards and/or risks is covered in the next
section.
The majority of standards and guidelines in the safety-related systems domains use risk reduction
as the means for ensuring that a system is sufficiently safe. Hazards are classified according to
the level of risk reduction required to reduce the risk associated with a hazard to an acceptable
level. The required risk reduction is allocated to the various parts of the system.
5.8.2004 Version 1.0 10
EASIS Deliverable D0.1.2
IEC 61508, as the generic standard for safety-related systems, is the benchmark for hazard and
risk reduction techniques. It uses the concept of the Safety Integrity Level (SIL) as a measure of
the necessary safety requirements for a particular system or function to achieve its allocated risk
reduction.
IEC 61508 defines safety integrity as the probability of a safety-related system satisfactorily
performing all of the required safety functions under all the stated conditions within a stated period
of time. A SIL is a discrete level for specifying the safety integrity requirements of the safety
functions allocated to the E/E/PES safety-related systems. The necessary risk reduction is
apportioned between the various types of risk-reducing facilities (E/E/PES, other technology,
external) and the SIL is a measure of the safety requirements necessary for a particular system or
function to achieve its allocated risk reduction.
There are four SILs, with SIL 1 representing the lowest level of safety integrity and SIL 4 the
highest.
In the MISRA Guidelines, hazards are classified using controllability which is a measure of the
ability of the driver or other vehicle occupant to control the safety of the situation following a failure.
It recognizes that a failure in a vehicle system does not necessarily lead to a hazardous event.
There are 5 controllability classifications, and the hazard with the highest controllability
classification determines the integrity level for the system.
There is a 11 correspondence between controllability and integrity level, therefore MISRA has 5
integrity levels. MISRA integrity levels 14 are concerned with safety-related functions, and
MISRA integrity level 0 is concerned with non-safety-related functions. MISRA uses integrity
level rather than safety integrity level because integrity in an automotive context encompasses
the need for a system to be reliable not only for safety reasons, but also for reasons of product
quality, preventing economic loss, etc. MISRA integrity levels 14 are broadly equivalent to IEC
61508 SIL 14, and practitioners frequently use the terms interchangeably.
Similar classification schemes are found in other standards and guidelines. Some notable
standards include the UK Defence Standards [32] where SIL is used as a measure of the (safety)
assurance required in a system. SILs are derived by classifying the accident severity and
combining it with the probability of failure. In the civil aviation sector (e.g. [26]) hazards are
classified using a scheme similar to controllability where the ability of an aircraft flight crew to
continue in safe flight and landing after a failure are assessed.
The US MIL-STD-882D [29] takes a similar approach but does not explicitly use the term SIL. For
each identified hazard, the severity and probability of the associated mishap (accident) define the
mishap risk associated with the hazard. The need for risk reduction is determined by the
relationship between these mishap risks and the mishap risk level that has been defined as
acceptable. Some examples of requirements that are relevant in this context are:
The catastrophic mishap rate shall not exceed per operational
hour
No hazards assigned a catastrophic severity are acceptable.
The controllability technique and its relationship to other approaches are discussed more fully in
[33].
Hazard and safety analysis techniques are used for two purposes:
To identify the hazards associated with a system and the necessary
level of risk reduction;
To verify during the development of the system that the necessary
level of risk reduction is being achieved.
In IEC 61508, there are no specific requirements for the hazard analysis techniques to be used,
but examples of quantitative and qualitative methods of SIL determination are given in Part 5.
For quantitative methods, an example of numerical calculation of
failure rates is given.
For qualitative methods, examples of the risk graph and the
hazardous event severity matrix. It is noted that both of these
methods need industry specific versions.
A reference is made to the MISRA guidelines for an alternative
method.
IEC 61508 includes the principles of tolerable risk and ALARP (as low as reasonably practical).
ALARP is a pragmatic approach for assessing the level of risk reduction that can be achieved
compared with the benefits that are delivered by that risk reduction.
The MISRA Guidelines have a requirement for a preliminary safety analysis to be performed during
concept design and for detailed safety analysis (intended to be iterative) during system design.
Preliminary safety analysis can be done using the PASSPORT process (which amounts to an
informal FMEA and FTA) or HAZOP. Detailed safety analysis can include activities such as FMEA
and FTA.
Further guidance on safety analysis is due to be published at the end of 2004 incorporating
automotive versions of the risk graph and HAZOP approaches.
In the SETTA project, it was recognized that functional development and safety analysis are often
carried out separately from each other. It was proposed to integrate both activities via tool
interfacing. Tools supporting FTA could be connected to simulation tools such as Matlab/Simulink
with the aim of generating fault trees semi-automatically.
This subject is concerned with both safety requirements (the design requirements that are
necessary for the hardware to be safe) and design process requirements.
IEC 61508 Part 2 contains tables of techniques and measures to:
Control failures during operation
Control systematic operational failures
Control systematic failures caused by hardware (and software)
design
Control systematic failures caused by environmental stress or
influences
Avoid systematic failures during different phases of the lifecycle.
Each technique and measure is graded with a requirement for its use by SIL. It is noted that many
of these techniques are quite specific to the industrial process control sector.
The MISRA Guidelines, while not specifically concerned with hardware, give guidance on some
hardware issues related to electromagnetic compatibility (EMC) performance and design of real-
time systems such as interrupts. The MISRA model lifecycle includes parallel activities for the
design and implementation of both hardware and software.
In MIL-STD-882D [29], the topic of design requirements is addressed at a high abstraction level
that covers both hardware and software as well as any other implementation technology. Although
no specific design requirements are given, the document provides some comments and examples
regarding design requirements:
This subject is concerned with both safety requirements (the design requirements that are
necessary for the software to be safe) and design process requirements.
IEC 61508 Part 2 contains a table of techniques and measures to control systematic failures
caused by hardware and software design. The software part of the table cross-references to
Part 3. This Part contains a guide to the selection of techniques and measures for software and
provides detailed tables for some of them. Part 7 has an overview of these techniques and
measures. It contains recommendations for specific programming languages including C, which
can be used at all SILs provided a subset, coding standard and static analysis tools are used.
IEC 61508 contains many techniques and measures that are primarily applicable in industrial
process control. Some of these may however be useful in developing guidance for emerging
technologies in the automotive industry. An example is the use for industrial control of PLC
(programmable logic controllers), which are typically programmed using a language such as
ladder logic which is a degree of abstraction removed from the code instructions that implement
it. IEC 61508 describes such languages as limited variability. There may be scope for applying
some of these requirements to assist with implementing model-based development and autocode.
In the MISRA Guidelines, Table 3 gives a summary of requirements for each lifecycle stage
(specification and design, languages and compilers, configuration management, testing,
verification and validation) against integrity level. MISRA C [34] gives specific guidance on the
safer use of C within automotive embedded systems.
Safety proof is understood to mean the evidence that a system (the final prototype or the series
product) meets the safety requirements.
IEC 61508 [20] uses the terms overall/ E/E/PES/ software safety validation for the activities of
confirming that the EUC/ E/E/PES/ software meets the respective functional safety requirements
and the safety integrity requirements. The means of validation can be either analysis or testing.
For software, IEC 61508 declares testing to be the main validation method. Part 7 lists as general
validation methods: functional testing under environmental conditions, interference surge immunity
testing, static analysis, dynamic analysis, worst case analysis, expanded functional testing, worst
case testing, fault insertion testing, and five failure analysis techniques: failure modes and effects
analysis (FMEA), cause consequence diagrams, event tree analysis, failure modes, effects and
criticality analysis (FMECA), and fault tree analysis (FTA).
The state of the art in the automotive industry is the existence of a sophisticated quality
management. Safety and reliability are considered to be quality attributes that form the top of a
pyramid that is based on quality ([35]). Most of the established quality assurance procedures are
not specifically tailored to safety.
For quality assurance specific procedures for the supplier and the vehicle manufacturer are
described in the VDA series on quality management (e.g. in [36], [37]). They include failure modes
and effects analysis, sample tests (including functional tests), reliability tests, reviews and audits.
Failure mode and effects analysis (FMEA) is well-established in the automotive industry. Three
types of FMEA are distinguished: System FMEA, Design FMEA, and Process FMEA. Although
being a method for preventive quality assurance and risk assessment, the value of carrying out an
FMEA from system level down to design level is that it also gives evidence in the systems ability to
fulfil the safety requirements. The VDA FMEA guidelines [37] propose the use of risk priority
numbers (RPZ) which are calculated as the product of the parameters B (seriousness), A
(occurrence probability), and E (probability of recognition). For the parameter B levels from 1 to 10
are defined with the highest levels for safety related hazards. Thus, FMEA can be used to assess
the safety related risks of the product design on a coarse scale. For software the FMEA is usually
carried out only on specification level. Risks of the implementation are not specifically addressed.
Note: in English-language automotive FMEA standards the respective parameters are RPN,
severity (S), occurrence (O) and detection (D).
Fault tree analysis (FTA) is sporadically used in automotive industry for providing quantitative or
more detailed analysis results for critical top events. FTA is also addressed by the VDA series on
quality management ([38]). Nevertheless, different conceptions of suppliers and vehicle
manufacturers with respect to suitable structure, level of detail, and source of claimed failure rates
of an FTA exist which reduces the general acceptance of this method.
Volume 13 of the VDA series [39] which is concerned with software-dominated systems introduces
a set of general requirements for software quality assurance. Based on a V model of software
development a set of review and test activities is defined together with some general criteria. A
link to safety requirements is not mentioned explicitly.
In addition to the comprehensive approaches like FMEA and FTA, there are partial approaches
that validate a product design with respect to specific requirements that are related to safety (e.g.
freedom from certain design faults, robustness with respect to specific faults). Examples of such
approaches are core fault emulation, worst case execution time analysis and automated static and
dynamic code analysis. However, these approaches are only sporadically used in the automotive
industry and not established.
Most safety-related systems standards include a requirement for safety assessment, where the
level of safety achieved by the system has to be assessed independently from the developers.
In IEC 61508, there is a stated requirement for functional safety assessment, meaning the use of a
person or team independent form the system developers. The minimum levels of independence
vary with SIL and also with the degree to which the system or the technology used in it is novel.
The MISRA Guidelines recommend that a company nominates a suitably qualified and
independent assessor and/or auditor to perform product assessment, in order to act as an
advocate for the level of confidence in the safety delivered to the end customer. An assessment
process should be performed to demonstrate that the risks associated with the final system are at
an acceptable level. The MISRA Guidelines are less prescriptive than IEC 61508 on minimum
independence requirements, but it is required to be a different person, or a different
department/section, or a different company/division.
The state of the art for engineering integrated safety systems is described in two parts. Section
2.1.4.1 outlines a representative engineering process from current practice of engineering
5.8.2004 Version 1.0 14
EASIS Deliverable D0.1.2
automotive embedded controls. Section 2.1.4.2 is an assessment of the current practice relative to
the state needed for meeting 2010 road safety objectives of the European Commission.
To develop an electronic automotive control system, several typical design steps have to be
performed. The requirements are stating what the control system should do. These requirements
are transformed into control-engineering (or functional) models. The subsystems of the functional
model are distributed over several ECUs, e.g. by using existing subsystems on remote ECUs.
Feasibility of the distribution or allocation is checked, i.e., whether the requirements of the
application system are satisfied, e.g., memory and processor capacity on the ECUs, capacity on
the communication buses, and overall timing requirements. Having all subsystems broken down to
ECUs, the software-design of the control-algorithm starts taking into account the current E/E-
architecture. The implementation of the control algorithm (coding) and integration with other
software components on a particular ECU follow the design phase. The ECUs communicating over
the network have to be integrated to form the E/E-architecture. Design of the distribution or
allocation is often iterative, including investigation of modification to the physical architecture.
These design iterations could be costly, and some timing errors could still remain latent. Having
done this, all functions are validated: critical ones on architecture test bench, and all, in vehicle
tests. If a system works at all, it has to be calibrated. Exhaustive field testing may reveal errors
occurring very rarely. This type of a process is often shown as a V Model (Figure 29). All design
steps are shown on the left side, the implementation is in the bottom whereas testing, integration &
calibration steps are shown at the right side of the V.
In automotive control systems design, these design steps are not performed only once, but several
times. The reason is that the electronic design process is embedded in the mechanical design
cycle. The latter spans from CAD-design of the engine/vehicle down to the preparation of the
appropriate production plant. An example is shown in Figure 2.
M0 M1 M2 M3 M4 SOP
0
Concept
Phase 1
2
3
Hardware
Support
Mules
Prototype A
Prot. B
and integrated in the Mules by prototype shops. From the suppliers point of view, these mules are
often called A-samples, because the vehicle manufacturer obtains a complete automotive
electronic control system which is not the case in the earlier concept validation phase. The
purpose of the Mules is component development and public road tests. The component
development includes crash, durability and noise & vibration testing. For functional chassis
development, one winter and one summer test are included.
Prototype As are the first vehicles that have the shape of the new vehicles. Ideally, the Prototype A
has all new components included. The control units are usually B-samples of the production
supplier. The components are integrated in the vehicle by prototype shops. The purpose of the
Prototype A is the validation of the vehicle integration and the performance evaluation. For
functional chassis development, one winter and one summer test are included. Typically only very
few Prototype A are build up and shared between different departments. The optimisations of the
development process are included into the Prototype A during lifetime. The release of the
production parts are usually based on the Prototype A development.
Different types of Prototype B are the last development vehicles built before SOP (Start of
production). All the parts of the Prototype B are off-tool parts of the production supplier (C-
Samples), the very last group of Prototype B vehicles has to be equipped with parts produced
under production conditions (D-Samples). The purpose of the B prototype is the complete vehicle
validation and the manufacturing process validation. For functional chassis development, one
winter and one summer test are included.
During the Vehicle Development Process, different Management Milestones has to be reached.
Engineering Start, Styling/Package Freeze, Release and Start of Production are possible
milestones. As can be seen in Figure 1, the management milestones are closely linked with the
successful validation of the different prototypes. Therefore, in the sequel the development time to
reach this milestone is called a development stage.
Some examples for typical engineering development processes in the automotive industry are
introduced in the VEESA study [113].
The engineering process looked at from a System Suppliers Point of view can be demonstrated
according to Figure 3:
Concept Vehicle
First Ideas Validation Project A-Sample B-Sample C-Sample SOP Reflashing 1 Reflashing 2
Requirements Management x x x x
Function Analysis/Spec. x x x x x
Partioning x x x x
SW-Design x x x x
Implementation x x x x
SW-Integration x x x x
Com.System Integration ? x x x
Vehilce Test x x x x
Fine-Tuning ? x x
Field Test ? ? x
Concept Vehicle
First Ideas Validation Project A-Sample B-Sample C-Sample SOP Reflashing 1 Reflashing 2
Requirements Management x x x x
Function Analysis/Spec. x x x x x
Partioning x x x x
SW-Design x x x x
Implementation x x x x
SW-Integration x x x x
Com.System Integration ? x x x
Vehilce Test x x x x
Fine-Tuning ? x x
Field Test ? ? x
Concept Vehicle
First Ideas Validation Project A-Sample B-Sample C-Sample SOP Reflashing 1 Reflashing 2
Requirements Management x x x x
Function Analysis/Spec. x x x x x
Partioning x x x x
SW-Design x x x x
Implementation x x x x
SW-Integration x x x x
Com.System Integration ? x x x
Vehilce Test x x x x
Fine-Tuning ? x x
Field Test ? ? x
Figure 8: Model-based design with certified code generators and no code review
Automotive control systems can be validated by means of Hardware in the Loop (HIL) systems.
One or several networked ECUs running automotive control software are tested versus vehicle
models running on dedicated real-time hardware in the laboratory. Since on the one hand lab-
tests are cheaper than tests on the track and allow on the other to drive the control-system under
even more scenarios HIL-testing is a crucial complementary validation means. It is performed at
several stages in the production development process as shown in Figure 9
Concept Vehicle
First Ideas Validation Project A-Sample B-Sample C-Sample SOP Reflashing 1 Reflashing 2
Requirements Management x x x x
Function Analysis/Spec. x x x x x
Partioning x x x x
SW-Design x x x x
Implementation x x x x
SW-Integration x x x x
Com.System Integration ? x x x
Vehilce Test x x x x
Fine-Tuning ? x x
Field Test ? ? x
Concept Vehicle
First Ideas Validation Project A-Sample B-Sample C-Sample SOP Reflashing 1 Reflashing 2
Requirements Management x x x x
Function Analysis/Spec. x x x x x
Partioning x x x x
SW-Design x x x x
Implementation x x x x
SW-Integration x x x x
Com.System Integration ? x x x
Vehilce Test x x x x
Fine-Tuning ? x x
Field Test ? ? x
The following example illustrates the interaction between a customer, e.g., automotive OEM, and a
component supplier over the engineering lifecycle of a typical safety-critical component, such as an
airbag. Although the specific process steps, time-frames, and division of work given in the example
may be different for specific components, the nature and importance of the interactions remain
similar. Table 1 provides an overview of the overall process. It is iterative and evolutionary in
nature, with evaluation and validation progressing through a series of prototypes, shown in Figure
2 as A-Sample, B2-Sample, B3-Sample, C-Sample, etc hereafter referenced as A, B2, B3, C,
etc.).
The overall engineering lifecycle is outlined below in four main stages (1) Concept Engineering
(Table 2), (2) Realization (Table 3), (3) Industrialization (Table 4), (4) Lifecycle follow-up (Table 5).
Within each stage, the process is tabulated in terms of flow of engineering work products between
the customer and the supplier.
Concept engineering stage
There are three sub-stages in the engineering stage: (1) Preparatory (Table 2 Index 1-2). (2)
Technical specification development stage (Table 2 Index 3-11). (3) Enrichment of the technical
specifications (Table 2 Index 12-22).
Table 2: Engineering progresses through Protoypes A and B1, focused on the product
concept.
Index Customer to Supplier Supplier to Customer
FMEA
1 Updated at the product validation review and at each stage of evolution: model, B2 & C prototype,
preproduction.
Realization stage
Process: Improve product, process and tools through a series of prototyping and validation cycles.
End state reached from this process:
Product is defined
Process is defined
Product and Process definitions are compatible
Tools are robust
Prototypes B2, B3 and C are realised during this phase. The number of representative prototypes
depends upon the project.
Table 3: Process for realization of a safety-critical component. Duration is less than 1 year.
Index Customer to Supplier Supplier to Customer
vehicle)
5 As listed above, but for B3
6 Anomalies report for B3
7 As listed above, but for C, as necessary
8 Anomalies report for C As above.
9 Finalized product definition documents
(finalized justification file and receipt report),
and the process definition and tools.
Industialization stage
There are three sub-stages in the industrialization stage: (1) Detailed design process (Table 4,
Index 1-5). (2) Validation of the product made with pre-production tooling offline (Table 4, Index 6-
12); duration = 1 year. (3) Validation of the product made with pre-production tooling in-line,
including customer-acceptance (Table 4, Index 13-17); duration = 1 year.
Customer Tasks
1. Audit SUPPLIER operation
2. Audit process of achievements of the reliability studies
3. Evaluate the test facilities and the full rates (cadences) on site of manufacture.
Supplier tasks:
1. Ensure management of configuration (for traceability, evolution, and coherence of the
product...).
2.1.4.2 State of the engineering process relative to 2010 road safety goals
The current state of automobile engineering practice, outlined in the previous section, is
characterized in terms of the distance from the state needed to meet the 2010 road safety targets
of the European Commission. Topics in this assessment have been selected in consideration of
their potential impact on the road safety objectives. With the increasing software content,
complexity and quality issues in vehicles, the assessment is focused on issues affecting software.
To help assess the magnitude of the development gaps identified, research references are cited.
However, citations do not necessarily imply advocacy of adopting their solutions.
Figure 1 sets the context of this work in terms used in IEC 61508 [20]. In this assessment,
engineering is defined as the application of a systematic, disciplined, quantifiable process to
transform customer needs, e.g., road safety, into embedded software-intensive systems to control
the vehicle.
There is no adequate, accepted, mature, demonstrated process for engineering integrated safety
systems of the scale of todays automobiles. There are fundamental weaknesses at the system
engineering level [93], starting from fuzzy notions and usage of basic terms such as system,
safety, and integrated.
For example, analyze the definition of Integrated Safety System proposed for EASIS: A
composition of functions In current practice, notions of composition and function do not
even conform to ordinary dictionary definitions of these terms, in the requirements space, as well
as in the solution space. If the requirements are not formally specified, then compliance with the
requirements cannot be formally verified. Therefore, one cannot prove that risk is contained within
acceptable levels. Thus, it is not possible to assure that the (vehicle) system meets its intended
road safety objectives.
Current practice does not engineer risk management aspects of the vehicle, driver and the
environment, as a system, as defined in [29]. Even risk from within the vehicle itself is not
managed as an integrated system. A contributor to the problem is the manner in which OEM
organization structures divide roles and responsibilities, e.g., separation of safety, hardware and
software. Many factors - not usually recognized as safety related - can influence risk in unintended
and unexpected ways. No systematic, disciplined, quantifiable process is used to identify and
analyze these influences.
In current practice, safety is often engineered in terms of protective measures that are incorporated
in addition to normal operating functions, rather than being integrated. For example, the
manufacturing automation industry has been applying IEC 61508 to functional safety by
engineering it separately from normal operating functions separate processors, buses and
software.
The automobile industry does not have a systematic, disciplined, quantifiable process for hazard
analysis [94], [95], [96] in the requirements engineering phase, i.e., preliminary hazard analysis
(PHA). The process is particularly weak in analyzing influences of the environment on the vehicle.
For example, [22] Section 3.2.2.2 specifies, A preliminary safety analysis should be performed
early in the lifetime to determinethe hazards associated with potential failures in the system
However, hazards are not always caused by failures of electronic systems. Hazards may also
result from factors such as driver behaviour, traffic conditions, and road layout. Engineering is
focused on failures and faults within the vehicle, and thus on reliability and dependability related
metrics. As a result, the approach to risk management has been overly concentrated on
replication-based fault-tolerant design, as opposed to a requirements-driven systematic search for
alternative solution approaches, e.g., early detection and warning of (impending) failure, mitigation
of fault propagation, reduction of services (degraded mode; limp home capability).
Searching for environmental risk management approaches outside the automobile industry, we find
useful parallels in the aviation industry. Hazard analysis on aircraft systems includes an
assessment of the environment within which the system will operate, including the maintenance
regime, aircrew training and airframe limitations. Within the automotive context, there are parallels
including the annual roadworthiness inspection required in Europe, and the driving test and
statements of good driving practice (e.g. in the UK Highway Code). However these are often
limited in their scope, e.g. a driving test need only be passed once, and there is no requirement for
periodic revalidation. There is no general consensus on what the overall constraints or safety
envelope (vehicle maintenance, driver skill maintenance, use restrictions) should be for an
integrated safety system. Thus, the {vehicle, driver, environment} system is unbounded. It is not
possible to arrive at a satisfactory solution, i.e., risk level which is acceptable and achievable.
- Requirements allocated
- Safety Integrity Level
Feedback
- Requirements allocated
Hardware Lifecycle Process Feedback - Safety Integrity Level
Figure 11: Relationship across System Lifecycle Process and Software Lifecycle Process
The overall business process tends to bundle electronic hardware and software with the
corresponding electromechanical subsystems, e.g., steering and brake. Requirements from the
OEM (system engineering) for subsystems, typically specific to a vehicle, flow down to respective
subsystem suppliers. These requirements typically specify functions and hardware interfaces, e.g.,
interfaces to the buses. Software interfaces are typically specified in terms of communication
messages, formatted for specific communication buses. There is little control over the software
process used by the subsystem supplier. Software specification techniques used by customers are
not rigorous enough to allow efficient verification of software from suppliers, even though better
specification techniques exist [97].
Typically, engineering is specific to a single vehicle, following the waterfall method (the traditional
V model). The process is dominated by predefined hardware constraints. There is little
opportunity for software engineering to influence system specifications and hardware constraints,
often resulting in compromised software. Reuse of software is ad hoc, and mainly within a
suppliers own organization.
In contrast, the Software Product Line Engineering (SPLE) approach [98] is in practice in other
industries. The process strongly depends upon architectural specifications [99] and reusable
components [100] conforming to the architectural specifications. Requirements Engineering is the
weak link in the current state of SPLE, although requirements reuse techniques are emerging
[101].
Leading innovators in other industries are moving away from the traditional waterfall method and
towards a method of iterative incremental evolution and development [102]. The iterative cycles
allow tradeoffs against hardware constraints and other system requirements.
Typically, requirements from OEMs to suppliers lack the rigor needed for High Integrity Systems,
By and large, requirements specifications [103] are incomplete [104], inconsistent [105], and not
formally analyzable [106], although some recent progress has been reported [107].
Requirements tend to be docu-centric, text-oriented, and informal. Subject matter experts who
have knowledge of requirements often lack the expertise to express themselves in terms of formal
specifications. On the other hand, a formal methods expert lacks the expertise to elicit the real
requirements out of the subject matter experts, and may create specifications that may not reflect
the real needs and may not be easily reviewable by the knowledge-sources. This informal-formal
gap exists across all industries. However, there are well-documented approaches to address this
gap [108], [109].
System requirements and results of preliminary hazard analysis (PHA) and subsequent Hazard
Analysis (HA) are not well integrated [110]. There are no information model standards for the
results of PHA and HA to be integrated into requirements models, although some progress is
reported [111], [112], [113], [114].
Typical relationships across requirements include derived from and supports. However, other
types of relationships are also needed, e.g., conflicts with (to support tradeoff analysis),
composition (to formalize the model), causality (to support hazard analysis), mutual exclusion,
etc.
It is not possible to trace from an individual atomic requirement item to its corresponding design
element and vice versa. There are a number of barriers, including the lack of formalism in the
requirements engineering process, the lack of design standards to facilitate mappability, and
inadequate support in design tools. Without traceability, it is difficult to check whether all
requirements are satisfied and whether the design goes beyond the specified requirements.
Similarly, the traceability from requirements to software validation and verification plans (SVVP) is
also weak, making the verification task more effort-consuming and error-prone. In tools that link
requirement to test-cases through correspondence tables, the manual maintenance burden is very
high; it results in inconsistencies.
There is no agreed-upon acceptable (or tolerable) risk level for integrated safety systems. A
moving automobile is continuously exposed to risk, influenced by many unknowns in the condition
of the road surface, the environment, and the driver the vehicle is only one set of factors.
According to IEC 61508-5 Section B.2, any risk must be reduced to a level which is as low as is
reasonably practicable (ALARP). However, there is no public agreement on what is reasonable
and what is practicable. When society does arrive at some agreement, application of ALARP
would require adaptation of IEC 61508-5 methods to the automobile context. The forthcoming
MISRA Safety Analysis publication will demonstrate how to perform the adaptation within the
context of automotive control systems.
To quote an excerpt from IEC 61508-5 Section A.4, tolerable risk level is based on the current
values of society and in Section A.2, Important factors will be the perception and views of those
exposed to the hazardous event. For illustration of the issue, consider a scenario of 107 vehicles
running on roads around the world at any time (an equivalent of 107 continuously operating
vehicles). Consider a requirement for the highest integrity level in IEC 61508-1, Section 7.6.2.9
and the more demanding continuous mode of operation, in which 10-9 is the most stringent limit on
the probability of a dangerous failure per hour for a safety function. Now approximate the rate at
which a dangerous failure of one safety function might occur somewhere in the world!
Furthermore, consider that there could be many such safety functions with dangerous failure rates
of the same order of magnitude. Would that be an acceptable risk in 21st Century human society?
In [33], hazard is classified by the degree of controllability (by the vehicle driver). Controllability
refers to the ability of the driver to control the safety of the situation following a failure, and
assessment of controllability includes examining the scope of the system authority, the provision
of backup facilities and the driver reaction time. However, active safety systems introduce a new
factor in controllability. Consider the following future scenario: Active safety automation handles
the more common and more frequently occurring conditions, and the driver exercises less active
control to cope with them. The driver is left with the responsibility of those conditions that the active
safety automation cannot handle. However, the frequency of these conditions reduces as active
safety automation improves. In this state, when that infrequent hazardous condition does arise,
will the driver be able to react to it? The question concerns loss of skill and loss of focus due to
inactivity. There are unknowns about the driver-vehicle-environment system. The RESPONSE
consortium has made some progress to address such issues [10][129].
Validation of requirements is inadequate, even though there are general techniques such as
Quality Function Deployment [115] and techniques specific to software system safety [95].
The traditional approach to verification is weighted towards downstream code-level testing. It yields
results too late at too high a cost. Testing can only reveal the presence of a defect it cannot
guarantee the absence of defects. V&V should be performed at every stage of the process, i.e.,
shift from the traditional V process to the Y process [116]. Requirements should be checked for
consistency and completeness, for which techniques are available [104], [105]. Current practice
uses simulation to improve design. However, as in testing, it can only reveal the presence of a
defect it cannot assure absence of defects. Formal verification methods are more promising in
this respect [117], [127], [128], [129]. However there are several limitations. First, requirements
specifications are not formal. Hence a translation from the requirements specification language to
the input language of the formal verification tool is necessary. This translation requires
extraordinary skills and it is a potential source of error. Secondly, formal verification methods are
just beginning to be scaleable to the size of embedded automotive control systems. Research has
shown promise by exploiting hierarchical state machines with properly defined semantics [106],
[127], [128]. Formal methods are more developed for discrete control, such as in body electronics,
but not so well developed for control systems that also include continuous-time functions, such as
in steering, braking and propulsion. This is a subject of long-term research [122], [123].
Robust interface specifications of interacting software components can improve verifiability at the
source code prototype (signature) level. Weak data typing deprives the auto industry from
exploiting type-checking available in compilers. However, no such support is available for
verification of distributed interacting components. As a result, too many errors are discovered at
various stages of integration with progressive cost-escalation.
Testing unit code is the most popular verification technique used today. Industry is trying to
automate test-case generation. This trend is not good enough for High Integrity Systems.
Research is underway to shift emphasis towards upstream V&V [116]. The SafeAir project
developed an improvement of the V based development process to save development time and
effort while preserving or improving the dependability of the developed systems. The emphasis
within the project was on formal development of systems, providing formal specification, formal
verification, automatic test case generation and validated code generation. The semantic
integration of system-level and design-level modeling tools allows a virtually integrated V-process
that is sharpened up to a Y-based process with the required steps at the bottom of the former V
being considerably automated. See Figure 12. For more details see [116].
Optimized-Y Improved-Y
Y V
System State of the art
Specification
System
(supplier
Software
specification
Equipment
(manufacturer)
Advanced users
DO178B
Detailed design
compliance
time
As mentioned earlier, the multitude of programmable electronic functions embedded within the
automobile are not a system in the sense of a true composition. In other words, one cannot identify
an explicit unified single system architecture, specifying or even describing all the inter-
relationships of functions related in some manner, directly or indirectly. Without this comprehensive
view of a system, its architecture and the discipline of defining this architecture, it is not meaningful
to discuss an integrated safety system or its safety properties. Unfortunately, the term
architecture [118] is often used for the physical configuration of interconnections and
interconnected devices. In contrast, available architecture description technology is demonstrated
in EAST-ADL [119].
For engineering vehicles as product lines or families, with software components reusable across
members of the family, commensurate commonality of architectures is needed across all
members. To maximize reusability value over time and product variety and changing technologies,
we need an architectural framework or domain architecture from which specific but compatible
architectures can be derived. This discipline is lacking in current practice. Without it, an integrated
safety system with guaranteed safety properties cannot be composed from components supplied
by different sources. Standardization of a physical platform is not sufficient it draws attention
from more important aspects of architectural specifications, e.g., unambiguous semantics of
interactions and information exchanges.
Model-based design is rapidly emerging in functional units. However, the input and output are tool-
specific proprietary formats and the semantics of the design model are not mathematically-defined
and explicit. Thus, it is not easy to apply third party tools for analysis or verification of the design.
Due to this fact a mathematical semantics of modelling tools are required to apply formal analysis
methods and tools [125], [126]. Furthermore, a tool specific integration of the analysing techniques
is necessary to scope with the formal semantics. It is also not possible to apply a software product
line engineering (SPLE) process with third-party library assets, reusable across tools and
suppliers.
There is a need for standards to exchange data unambiguously across the various stages of the
engineering process, across the corresponding tools, and between customers and suppliers with
IP protection where required.
By and large the process is manual, using a subset of the C programming language, e.g., as
specified in MISRA [33] [34] and checking the program for conformance to the restrictions [76].
The transformation of design to programming language code is closer to automation, for a single
functional unit, without reuse of its components across applications, tools, or suppliers. However,
semantic equivalence, and hence correctness of transformation, cannot be proven. A key barrier is
the lack of strong data typing, both within the modeling environment and within the C
programming language.
Challenges are in automatic code generation which is already used today in some application
areas (e.g. avionics systems). To reduce the testing and validation effort for the resulting unit, the
code generator has to be certified too. As the certification process is quite expensive new releases
of certified code generators are very rare and one has to live with known bugs. Another approach
which overcomes this drawback of certified code generators is code validation, i.e. verifying that
the target code produced by a code generator (equivalently, a compiler or a translator) is a correct
implementation of the source specification [124].
Excessive calibration is required at the time of vehicle integration and testing. There are several
contributing causes. Either the algorithm provides too many or too few degrees of freedom in the
calibration. This problem has to be solved by improving the requirement specification for the
algorithm. Secondly, accurate plant models are not available at the time the algorithm is being
developed. Thirdly, algorithm modeling and plant modeling use different modeling paradigms,
making model integration difficult.
The automobile industry, as a community, does not have a continuous improvement process [13]
to grow towards achieving its shared goals in integrated safety systems, i.e., it lacks a
systematized feedback, root cause analysis and correction process. It is limited by the lack of
traceability across all stages and work products in the engineering process. This limitation is rooted
in the lack of an adequate requirements engineering and management process.
With the current state of system and software engineering, high safety integrity levels will require
high quality in work products, as well as the processes. As the main software engineering process
begins to utilize automation and reusable assets, industry must assess the state of readiness of its
software planning processes [26] that direct the software development processes and the integral
processes. These processes produce the software plans and standards and define the
development environment, including tools and their qualification criteria. These outputs will require
standardization across the community of customers and suppliers participating in the realization of
integrated safety systems. Industry lacks adequate tool qualification criteria and qualified tools for
automating software processes such as correct by construction code generation.
Integral processes [26] include software verification (already discussed above), quality assurance,
and configuration management (CM).
Scale
Less More
Today vehicles present an enormous variety of electronic architectures: from a highly centralised
approach (with few electronic control units in the car) to vehicles with more than fifty electronic
control units. Low-end vehicles have a single network with CAN Low Speed protocol while medium
and high-end vehicles may several buses: CAN High Speed for engine modules because of the
amount of information to share in short time, CAN low speed for body and diagnostics, LIN-bus for
local sub-networks, MOST for multimedia, ...
In most vehicles, the splitting of the network is similar to the diagram in Figure 14. This splitting is
usually done according to functional areas, hierarchy, safety, stand-by current, etc. Usually,
different messages should go from one bus to another, and then there should be a Gateway
between each of them.
GATEWAY Standard
Option
In todays vehicles the powertrain domain is mainly consists of two ECUs: an engine control unit
and a gearbox unit (the latter only for automatic or semi-automatic gearboxes). For specific
functions such as stop and start, alternative fuel engines (e.g. LPG) or shift-by-wire, additional
ECUs are added to the main network.
The powertrain ECUs are generally connected with the chassis domain ECUs to a high-speed
CAN network of 500 Kbit/s. For several further functions as electro-magnetic valve control,
controlled alternator, diesel warm up, etc. a local network such as LIN or a dedicated CAN network
can be implemented on the engine control unit.
OSEK OS, COM and NM are the only software standards used in these ECUs and they are not
necessarily implemented in every ECU. Component suppliers provide their own ECU with their
own software integration.
2.1.5.2.2 Hardware
The architecture of the ECU is a two-chip design for the semi-automatic gearbox (single processor
for the automatic gearbox) with a different dimensioning of the microcontroller and the power
stages. In this area the main processor is typically a 16 bit device (a few have a 32 bit device) with
a second 8-bit processor (see Section 2.1.5.2.4 Protection strategy) for the semi-automatic
gearbox. The external clock can vary from 16 to 40 MHz, the Flash size from 192 kB to 1 MB, (an
EEPROM space of few kB is needed), the RAM size from 4 kB to 16 kB, and the smallest cycle
time is around 2 ms for a servo-control basic function.
The power consumption of the ECU is under 1A. However, the power stage can control between
4 A to 30 A.
Sensors
The number of inputs is around 10 analogue sensors (up to 20 for a semi-automatic gear box) and
10 logical inputs, for example:
Selector level
Engine speed
Engine torque
Oil temperature
Oil pressure
Throttle
Kick down
Brake contact.
Actuators
The number of outputs (commands) is more than 10 (both high-side and low-side outputs), such
as:
Torque converter
Shift lock
Clutch actuator
Gear shift actuator
Start-up interlock.
Safety modes
Several critical functions are identified where safety concepts are applied (see Section 2.1.5.2.4
Protection strategy).
As for the engine control unit, a limp home mode is defined and corresponds to a specified
mechanical position under fault conditions (without control). For the automatic gearbox it
corresponds to a gear position and for the semi-automatic gearbox it corresponds to an open
clutch.
In the powertrain domain OSEK is the emerging standard for operating-system software with a few
examples of its use in series production. Many suppliers have their own solution for the operating
system that can be adapted to (or be compliant with) to the OSEK standard. For the
communication layer, OSEK COM and OSEK NM are the standards provided by Tier 2 suppliers,
integrated by the component suppliers and so used in this domain.
A complete description of the software OSEK OS, COM & NM is given in the Standards section
(2.1.5.7).
TCU
Redundant inputs MC
Processor Monitoring
Program Flow / Instruction Set / Memory
Function
Level 1
Processor Monitoring
Level 3 MU
ADC Evaluation Processor Monitoring
Error
principal conditions are met to control the actuator. A comparison of results between Level 1 and
Level 2 is made. If there is a difference, only the result of Level 2 is taken into account. So Level
2 is used to avoid an unhappy decision of Level 1.
Therefore in the case of an engine or a gearbox control, the instructions for engine torque or
actuators are calculated 2 times by 2 different algorithms.
This layer also implements the detection of an A/D converter failure. With this scheme, an
analogue signal with little dynamics is acquired at the same time on the main microcontroller and
on the monitor unit and the results of the conversions are exchanged between the two units.
Level 2
This corresponds to an execution test of the instructions of the function: the main microcontroller
sends constant vectors of the input data of the critical functions, adds all the results and sends it to
the monitor unit for a (static) comparison.
Level 3
This level typically contains the following functions:
Test of the RAM and the ROM by the two microcontrollers.
Mutual test of the software versions by the two microcontrollers,
Management of a dependable serial communication interface
between the two microcontrollers.
MC - Main Controller
Copy of Process Monitoring
ROM-Test RAM-Test Process Monitoring
Instruction Set Test
ROM-Test Program Flow Monitoring
Level 2
AD Value
SW-Version Predrive
RAM-Test
Level 2 Timeout/Checksum/Command/Interface
SPI COMMMUNICATION
Timeout/Checksum/Command
Value
A/D Predrive
SW-Version
ROM-Test
Instruction Set Test Program Flow Monitoring
RAM-Test
MU - Monitoring Unit
Number of ECUs
In the chassis domain, there are typically only a few ECUs, between 1 and 6. However, if you look
at the very-low-end of car segments, there can be no ECUs in the chassis domain at all. In low-end
vehicles, there is normally at least one ECU, i.e. for the anti-skid system (ABS).
In this analysis, the Volkswagen Golf V is taken as an example of the typical version with an
average number of ECUs in the chassis domain, i.e. 2. These are the Braking System ECU (ESP)
and the Electrical Power Steering (EPS) ECU. As can be seen, there is no dedicated chassis Bus
system and the control systems related to chassis functionality are represented by a brake ECU
and an ESP cluster (Figure 17).
The S-Class from DaimlerChrysler and the BMW 7 series are taken here as the typical vehicle
version with the maximum number of ECUs. In the S-Class there are 5 main ECUs in the chassis
domain, which are the Electronic Stability Program (ESP), the Active Body Control (ABC), the
Adaptive Damper System (ADS), the Tyre-pressure Control System (RDK) and Distronic (DTR).
The EWM (Electronic Selection-level) could be view as a part of the chassis or the powertrain
domain.
Looking at the topology of the BMW 7 series, you can find that there is no dedicated bus system
for the chassis systems. On the powertrain CAN-C bus there are several ECUs that either
contribute to the powertrain regulation or to chassis control systems. In Figure 6 you can see these
ECUs (blue boxes represent extra features, green boxes represent standard equipment), which are
the adaptive cruise control, active roll stabilisation, dynamic stability control, electronic
transmission control, electromechanical parking brake, digital diesel/engine electronics, adaptive
light control, electronic damper control, and rotational speed sensor (which is not an ECU).
Diagnostic
Access
Central
Gateway
SZ-
Vehicle ACC
DWA AHM MMI-GT CAS Steering DDE 1
Centre Module
Column
DME 1
1-Axle- A-Pillar A-Pillar
PDC ASK COMBI TM DD TM DP ARS
Air Spring left right
DDE 2
SZ-MK Antenna B-Pillar B-Pillar
SZ-MK MMC TM DDR TM DPR SIM DSC
Fond tuner left right DME 2
Chassis
Video SM SM Seat
RDC Integration CDC Seat Driver EGS ALC
Module Driver Passenger Passenger
Module
Standard
SH/ZH Equipment
Optional
Equipment
Communication
In todays vehicles no dedicated bus systems for the chassis domain exist. Typically, the chassis
ECUs are connected to the Powertrain CAN with the high-speed CAN of 500 Kbit/s. Usually there
is only one centralized gateway from Powertrain CAN to CAN Comfort.
Conclusion
In order to assess the state-of-the-art hardware and software in the chassis system, it is important
to first examine what the purpose of electronic systems in this domain is. Altogether, it can be
identified that all chassis systems should either improve comfort, improve vehicle safety, ease
mechanic constructions by using electronic intelligence, reduce weight of conventional systems,
reduce cost compared to conventional systems, or increase reliability and quality of the vehicle.
Following these goals, future applications in the chassis domain will encompass robust and fault-
tolerant systems for longitudinal, lateral and vertical vehicle dynamics. These systems require
control loops that are distributed over several ECUs, synchronous and deterministic system
behavior, and high system availability. Nowadays and in the near-future, the most commonly used
architectural elements will be CAN and Flexray as bus systems, OSEK/OSEKtime as the operating
system, and OSEK-COM/FTCom as communication software. Today there is no dedicated bus
system in the chassis domain. Chassis and powertrain ECUs share the same high-speed CAN bus
in order to fulfill their real-time tasks. In the near future in the luxury class Flexray will probably be
introduced due to rising communication requirements between the components.
In order to give an overview of the hardware in the chassis domain that is commonly used, we
have taken ESP, EPS and ACC. The first two are widely-deployed systems whereas the latter is an
example of a rather recent and complex system that can typically be found in high-end vehicles.
These examples were chosen to show a common structure and principle.
Electronic stability program
The Electronic Stability Program (ESP) is a regulation system in the brake system and powertrain
which prevents uncontrolled sideways vehicle movement. The ABS prevents the wheels locking
when braking, ASR helps avoid wheel spin when accelerating. ESP ensures that the vehicle does
not become unstable or veer off course when steering.
ESP further improves on the advantages of ABS and ASR regarding active safety in the following
ways:
active support for the driver even in lateral dynamically critical
situations
advanced driving stability; directional stability in critical conditions in
all operational states such as full and partial braking, drive,
deceleration and load change.
advanced driver stability even with extreme steering manoeuvres
(fear and panic reactions), and therefore drastic reduction in risk of
skidding
improved vehicle behaviour also in critical situations and therefore
predictive regarding the limits of the drivers experience.
In the ESP ECU several different functions are realised:
Electronic Braking-force Distribution (EBV)
Transmission-slip Control (ASR)
Anti-skid System (ABS)
Automatic Stability Control (ASC)
5.8.2004 Version 1.0 43
EASIS Deliverable D0.1.2
Sensors
The most important part of the ACC is the radar sensor, which measures the distance, angle and
speed difference to the car in front. A typical ACC radar sensor uses a 3-ray 77 GHz Pulse-
Doppler with an average sending power of 200 W and a measuring distance of roughly 150 m. It
can measure the distance to objects in front of the vehicle with an accuracy of 1 m. It is connected
to the high-speed CAN.
Actuators
The actuators with which the ACC ECU communicates are
Motor (engine) ECU
Gearbox ECU
ESP ECU
Protection strategy
Protection strategy is of vital importance for the safety-critical ECUs used in the chassis domain,
which should have some characteristics which enable them to deal with possible faults. Two main
requirements are given for fault-tolerant systems: safety and availability.
Fail-safe ECU
The requirement for fail-safe ECUs is as follows: All critical faults have to be detected and
mitigated, e.g. by switching the ECUs to a safe state. Theoretically, no ECU component
characteristic which is 100% fail-safe can be produced. In practice, with the common fault-
recognition strategies, very high rates of fault-recognition can be achieved.
There are a variety of different concepts to realise fail-safe ECUs. Two of the most common
concepts are presented here (see Figure 20).
Single processor system with watchdog: The fault recognition in
a single processor system with watchdog is realised by software and
hardware in an external observer watchdog, which switches off the
processor power or resets the processor in case of failure.
Dual system with two processors: In a dual system the same
software runs in two identical processors. Alternatively, the system
can also be realized with different processors and software. Both
processors can set the ECU in a fail-safe state.
Single Processor with Watchdog Dual - System
Actuators Actuators
Application - Watchdog Application - Application -
Processor Processor Processor
Sensors Sensors
Fault-tolerant ECU
Nowadays there is no real fault-tolerant automotive ECU in practice. From other domains (e.g.
aerospace) there are two common concepts under the assumption of one-failure-tolerance (as
shown in Figure 21).
The Dual-Duplex-System is realised with two duplex-units, each of them fail-safe, that is to say,
when there is a failure in one system, it is switched off. The ECU itself will continue to operate with
the second unit.
A typical Triplex System is realised with 3 processors, which operate in parallel, and the decision is
carried out using the voting-principle (votes out of 3).
In this paragraph a description of the existing and emerging standards of the Software
Implementation Framework in the chassis domain is given.
Figure 22 shows the basic building blocks of the chassis domain (as worked out in the EAST
project). However, the middleware layer has not yet been used in serial product.
OSEK Middleware
In todays architecture, as electronics gets cheaper and integrates more and more power
elements, it is becoming more common to distribute body electronics, because power is better
handled, (less losses and risk), monitoring can be done at the electronics end, software is
distributed and simplified, and because size is better distributed.
Nevertheless, hierarchy must be kept and main control has to exist for safety reasons. But it can
be split into two or three major modules: the Smart Distribution Nodes (SDN). Normally one SDN is
defined for engine management, (ESDN), a second one, (main, CSDN), for cockpit, and a third one
for the rear area, (RSDN). This third one may be integrated in the CSDN if there are very few
elements to manage in this rear area.
We have to differentiate CSDN from other SDNs like engine or rear ones. The CSDN usually
includes the main gateway and can have redundancy of systems, (microcontroller, limp home),
to ensure safety of the electronic system. CSDN carries only a small number of power loads.
ESDN and RSDN are usually more devoted to the control of big loads (cooling fan, wiper) and/or
communication with local buses. Therefore, they have a lot of protection related to the power
loads. In the near future, with 42V/14V architectures, these SDNs will probably include the DC/DC
converters. Therefore, the CSDN is left as the main brain of the vehicle with optimised processing
speed and safety, although it may mean redundancy of components. Cost optimisation comes
when considering that this module can easily be used in several kinds of vehicles.
Therefore, functions like internal or external lighting, door features, seat control, etc. are being left
for other peripheral units, leaving energy and power management, central safety control, (alarms),
or gateways for SDNs. When a local bus, such as LIN is used, the SDNs are usually the master of
the local bus. Also, all SDNs can have reduced operation of distributed functions in case of other
modules breakdown or communication loss.
Today SDNs can be characterised with a 16 bit microcontroller with no more than 256 Kbytes of
Flash memory. A special case is the SDN with Gateway functions or equivalent, (i.e. BCM). For
these modules speed is a must, together with redundancy or ensuring maximum protection against
possible failures. For these modules the microcontrollers will have 16 bits, or even 32, with
memory size up to 512 bytes. There may also be two microcontrollers, one dedicated only to
gateways or to which is redundant in primary elements.
The SDNs have an operating system which fully implements OSEK. In some cases (low-end cars),
OSEK in not implemented and only a scheduler with network management is implemented.
As regards small electronic modules like those for seats, doors or smaller, (mirrors, wipers), the
tendency is to specialise the microcontroller peripherals. Only 8 bits are needed and memory sizes
up to 32 or 48 Kbytes, but as the module size is critical, and versatility is a need, the type of other
elements inside the microcontroller has to be carefully selected: one or two bus drivers, output
controllers, timers, voltage supply, RF
Another important point is the introduction of Diagnostics Services. The Diagnosis Services allow
the car configuration, the self diagnosis of the car while normal operation, the access to failures
information stored on a distributed way within the ECUs, read inputs, act upon loads for reparation
or testing...
The Diagnosis Master Tool should be capable of accessing all the diagnosis information stored in
the ECUs. It should also be able to request certain services to all ECUs even if they are not
connected to the same bus where the tool is. For this reason the complexity of the architecture
normally has a great effect on the electric diagnosis.
There are different possible solutions for this. One solution is the use of an independent bus
connected to all ECUs used for diagnosis. The advantage of this method is the independence of
the diagnosis data from the rest of application data, the reduction on diagnosis complexity and the
reduction of the bus load.
Another solution is to use the already existing buses for diagnosis. This means that the SDNs act
as gateways between the diagnosis bus (also used for application) and the sub-buses. In the case
of automotive buses normally the standard protocols defines how the gateways should behave. If
the Architecture Complexity splits the functionality in sub-buses more and more then more gateway
functionality will be required for diagnosis. The ECU acting as a gateway is the diagnosis master
for the sub-bus.
As an example, consider a typical module in this domain: the Engine Smart Junction Box (E-SJB).
This module controls several loads such as Lamps (Interior and Exterior), Door Locks, Cooling
Fan, Wipers, Fuel pump, Washer pump, Tailgate and Horn, among others.
This module also acts as a gateway between the High-speed CAN (500 kbps) and a fault-tolerant
Low-speed CAN (125 kbps). It includes another Low-speed CAN (125 kbps) for diagnostics and
two LIN-buses (1 for communication 1 for diagnostics). In both cases, this module is the master.
This module includes a Limp Home Mode (implemented using discrete circuitry) to protect micro
and voltage regulator failures and several fuses for overcurrent protection (next generation SJBs
have polyswitches and magnetic current sensing).
The microprocessor of this module is a 16-bit processor, 512 KB Flash-ROM, running at 16MHz.
The system has an operating system which fully implements OSEK. In low-end cars, OSEK in not
implemented and only a scheduler with network management is implemented.
The E-SJB acts as a central gateway for diagnostics, implementing KWP2000 through one
dedicated low-speed CAN-bus.
The system has very limited scalability capabilities, only one LIN-bus for extra option(s)
configurable at the end of production line. The next generation SJB will have enhanced plug and
play capabilities by modification of the serial bus.
Telematics/Communication is one of the most recent emerging technologies within the automotive
industry and may be broadly defined as, "the interactive exchange of information, via voice or data,
over a wireless communications network".
Telematics allows a number of different interactive systems to be provided though three basic
capabilities:
1. Two-way communication capabilities (wireless)
2. Location technology (geographic position)
3. Computing platform for system control and interface to automotive electronic systems(s).
In todays vehicles, key capabilities are two-way communications (such as GSM) and location
technology (such as a global positioning system receiver GPS), which are combined with a
computer hardware and software to create the telematics system. The interface to other electronic
systems inside the car is usually provided too. This kind of system, as integrated in the BMW
Series7, can offer the following services (among others):
Navigation
Emergency call and roadside assistance
Vehicle security notification and stolen vehicle tracking services.
For instance, LEAR has presented an electronic control module for demonstration integrated in an
overhead console. This electronic module contains the following functionality:
GPS & GSM
Emergency Call
Vehicle Tracking
Bluetooth
Remote Keyless Entry
Navigation / Diagnostics / MP3 download using a PDA
Hands-free using a Mobile phone
LCD Display
Interior Lighting
The microprocessor of this module is a 32-bit RISC processor, 512 KB Flash-ROM, running at
24MHz. The Bluetooth module is a two-chip solution: one device for RF and another device
including the base-band and the implementation of the lower layers of the protocol.
In this module the Bluetooth protocol has been implemented based on the Serial Port Profile. The
Serial Port Profile is based on Radio Frequency COMMunications (RFCOMM). RFCOMM provides
serial port emulation, enabling Bluetooth support for serial data connections and it is integrated in
the Bluetooth component with the low level layers. The host microcontroller contains only the
application layer and communicates with the Bluetooth device through a series protocol.
This implementation allows the application layer and the rest of the stack to be completely
separated. If the SPP profile is installed on the host microcontroller, the particular application must
be always used in conjunction with the stack that it was developed for.
Application Layer
Application
Device Physical Interface Controller (UART)
Control Interface
HCI L2CAP
Base-band Control
The major trend in current vehicle development is the increasing number of electrical and
electronic systems in the cars. These systems are being introduced in order to give more
functionality, comfort, and safety to the customer.
Some of the trends (and challenges) that this evolution introduces are:
Higher number of decentralised control tasks
Higher number of monitoring and diagnostic tasks
Scalability and variety (High number of options and variants)
Higher communication bandwidth between control units and between
sensor/actuator units and control units
Integrated safety systems are adding an additional dimension to these general challenges,
because they connect domains (powertrain, chassis, body and telematics) which are only loosely
coupled in todays in-vehicle systems. Furthermore the environment sensing needs fusion of
different sensors to reach a high reliability for detection and classification of objects, and future
systems for accident free driven will extend the dependability requirement for electronic systems.
Adaptive headlight functionality is a good example of interdomain communication. Adaptive
headlight systems shift the headlamps spread to enhance visibility when cornering at night. In
order to compute the right angle, the inputs from sensors sending information on vehicle steering
angle, yaw rate, and road speed are used. In most cases, these modules are mechatronics located
near the lamp.
An appropriate algorithm controls the light beam according to the drivers commands, geared in
each case to the respective situation on the road and the speed of the car.
The information needed is generated on the powertrain bus. Usually, the adaptive headlight
systems are not connected directly to the powertrain because, in case of a frontal crash, the
powertrain bus may be severely damaged. In this case, is better to connect the adaptive headlight
modules to a separated CAN-bus.
Some OEMs propose to link the adaptive headlight system to the cars GPS satellite navigation
system and digital road maps that present all curve radii in the area covered, which will enable the
headlights to illuminate bends even before the driver turns the steering wheel.
2.1.5.7 Standards
CAN bus
CAN-bus is the world standard for Class B and Class C protocols [79].
Class B protocols body/infotainment have speeds between 10 Kb/s and approximately 125
Kb/s. Must support event-driven and some periodic message transmission plus sleep/wakeup.
Protocols used for Class B networks are listed in Table 1.
NAME: USER: USAGE: MODEL YEARS: COMMENTS:
ISO 11898 Europe Many 1992+ 47.6 Kb/s to 500 Kb/s in use
Fault-tolerant CAN Europe Many 2000+ ISO 11519 CAN
GMLAN (low) GM Many 2002+ GM only ; J2411 single wire CAN
GMLAN (mid) GM Infotainment 2002+ 95.2 Kb/s might be IDB-C
Ford MSCAN Ford Many 2004+ 125 Kb/s; J2284
DCX LSCAN Chrysler Many 2004+ 125 Kb/s; ISO 11519
J2284 GM,Ford, DC Many 2001+ 500 Kb/s; based on ISO 11898
J1939 T&B Many 1994+ Replacing J1708/1587/1922
Automotive Qualified
There are two types of IEEE 1394 data transfer: asynchronous and isochronous. Asynchronous
transport is the traditional computer memory-mapped, load and store interface. Data requests are
sent to a specific address and an acknowledgment is returned.
In addition to an architecture that scales with silicon technology, IEEE 1394 features a unique
isochronous data channel interface. Isochronous data channels provide guaranteed data transport
at a pre-determined rate. This is especially important for time-critical multimedia data where just-in-
time delivery eliminates the need for costly buffering.
Much like LANs and WANs, IEEE 1394 is defined by the high level application interfaces that use
it, not a single physical implementation. Therefore as new silicon technologies allow high higher
speeds, longer distances, and alternate media (wireless?), IEEE 1394 will scale to enable new
applications.
Perhaps most important for use as the digital interface for consumer electronics is that IEEE 1394
is a peer-to-peer interface. This allows not only dubbing from one camcorder to another without a
computer, but allows multiple computers to share a given camcorder without any special support in
the camcorders or computers. All of these features of IEEE 1394 are key reasons why it has
become the A/V Digital Interface of Choice.
1394b [83] is a significant enhancement to the basic 1394 specification that enables speed
increases to 3.2 Gigabits/sec, supports distances of 100 meters on UTP-5, plastic optical fibber
and glass optical fibber, and significantly reduces latency times by using arbitration pipelining. It is
fully backwards compatible with the current 1394-1995 and 1394a specifications. 1394b is an
important step forward in increasing the performance and simplifying the implementation of 1394
on PCs, and, with its long-haul capabilities, makes 1394 the convergence bus between PC
products, consumer electronic systems, automotive and home networking.
FlexRay
A consortium including BMW, DaimlerChrysler, GM, VW, Bosch, Motorola / Freescale, and Philips,
is developing FlexRay for chassis and powertrain control in cars [84]. In total the consortium is
supported by more than 70 companies that are organized in 4 different membership shells.
Overview
Flexray defines a communications system consisting of the specification of a communications
protocol and the specification of an appropriate physical layer. FlexRay provides scalable fault-
tolerance to enable an economic design of distributed non-fault-tolerant systems as well as
distributed fault-tolerant systems.
FlexRay supports different topologies for interconnection such as star-based ones and bus-based
ones, as depicted in the figures below. In both cases, duplication of the interconnection is optional.
The star configuration of FlexRay can also be deployed in distributed configurations where
subsystems are connected by hub-to-hub links.
OSEK OS
Overview
The OSEK [85] operating system is the most commonly used operating system for automotive
ECUs, which provides a pool of different services and processing mechanisms. It can be built
according to the user's configuration instructions at system generation time.
Four conformance classes are available to satisfy different requirements concerning functionality
and capability of the OSEK operating system. Thus, the user can adapt the operating system to the
control task and the target hardware. The operating system cannot be modified later at execution
time.
Applications which have been written for a certain conformance class have to be portable to OSEK
implementations of the same class. This is ensured by a definition of the services, their scope of
capabilities, and the behavior of each conformance class. Only if all the services of a conformance
class are offered with the determined scope of capabilities, the operating system implementation
conforms to OSEK.
Function
Task management
Activation and termination of tasks
Management of task states, task switching
Synchronization
The operating system supports two means of synchronization
effective on tasks:
Resource management and
Access control for inseparable operations to jointly used (logic)
resources or devices, or
for control of a program flow.
Event control: Event management for task synchronisation.
Interrupt management: Services for interrupt processing
Alarms: Relative and absolute alarms
2.1.5.7.3 Diagnostics
CCP is a CAN specific protocol, very popular for software development, test and calibration
purpose. It is implemented in widespread measurement and calibration tools such INCA (ETAS)
and CANape (Vector). Vector provides free of charge his CCP source code that can be
implemented in ECUs to communicate with its CANape tool. As calibration and test are identified
as general requirements for EAST middleware, CCP should be used as an existing standard.
Function
The CCP defines the communication of controllers with a master device using the CAN 2.0B (11-
bit and 29-bit identifier), which includes 2.0A (11-bit identifier) for:
Read and write access to various memory locations, variables
and data structures,
Download of calibration and measurement at the same time,
Flash programming,
Simultaneous handling of several ECUs.
The master device is a calibration, a diagnostic, a monitoring or a measurement tool issuing
commands to the controllers. Therefore, CCP may be used for the development and the test of
electronic control units, calibration regarding the controlled devices (combustion engines,
gearboxes, suspension)
Master device
CAN bus
Task of the transport protocol is to transmit messages, which are generally longer than a CAN
message. If a message is very short, it is transmitted unsegmented.
Construction of unsegmented messages
Unsegmented messages are transmitted by a SingleFrame-message. SingleFrame messages can
have a length of maxframesize -1 data bytes at a maximum (normal addressing) respectively
maxframesize - 2 data bytes (extended addressing). There is no Flow-Control.
Construction of segmented messages
Messages, which do not fit into a SingleFrame are sent by a sequence of single communication
frames. The receiver is informed of the length of the whole message in the FirstFrame by the
sender. ISO/TF2 defines here a maximum length of 4095 for user data. The receiver answers by a
FlowControl. The receiver gives the BlockSize and the SeparationTime STmin to the sender in this
FlowControl. The BlockSize controls the number of ConsecutiveFrames, which might be sent by
the sender before waiting for the receivers FlowControl. The minimum value of the
SeparationTime STmin describes the minimum sending distance between two
ConsecutiveFrames, which can be processed by the receiver. The sender transmits the maximum
BlockSize ConsecutiveFrames after the reception of the FlowControl. It is not answered with a
FlowControl by the receiver, if all data has been transmitted, even if it would be its turn as a result
of the adjusted BlockSize in the course of the protocol.
Limitations
Message length limited to <5000 bytes
CAN-specific
Only point-to-point connection
Does not support multiple parallel connections from one ECU
Currently only underneath KWP2000
Online resources
[92] ISO/ WD 15765-2 Road Vehicles - Diagnostic Systems, Part
2: Network layer services. Date 1998-06-24 (www.iso.org).
[88] Vector application note AN37-12, july 2001
The V cycle is the perfect model for categorizing automotive tools according to the area in which
they are chiefly used [40]. In this document, the tools are classified to apply for certain categories
(see Figure 29), such as development tools, test tools, calibration and measurement tools, and
diagnostics tools.
The purpose of a design tool is to (in the broadest sense) contribute to the description of ECU
software. In most cases design tools are accompanied by code generators that convert the
abstract functional description carried out by means of the design tool to source code. The latter
can be further processed and compiled to ECU-ready executable code.
Beside tools for the functional specification of automotive software this category is populated by
tools that support e.g. the configuration of the underlying RTOS or the communication middleware.
In addition, tools exist that concentrate on the mere definition of the data and variable content of an
ECU. By this means it is possible to automatically generate all data structures used in a type of
ECU. The actual behaviour of the ECU, on the other hand, is directly coded in (C) source code
according to this approach.
Please note that particular general-purpose modelling tools (like MATLAB/Simulink) are
considered in this document although they are far from being specially tailored for the automotive
industry. The importance of these tools for the design of automotive software, however, is so vital
that they should not be neglected.
Tools for calibration and measurement are used to fine-tune the behaviour of automotive software.
To be sure, these tools are not suited nor intended to change the functionality of the software
fundamentally but to adjust parameters to meet the actual vehicle behaviour.
Please note that the calibration of parameters is deliberately performed while the ECU is under
operation. By this means it is possible to observe the response of the ECU to even the slightest
change of parameters in real-time.
Please note further that calibration requires special technical arrangements on the ECU since
parameter values of ECU are typically located in a (in the broadest sense) ROM memory area.
This corresponds to the fact that in normal vehicle operation the values of parameters are
intentionally not supposed to change during run-time.
Furthermore, it is possible to measure the values of internal variables for the purpose of debugging
and/or function verification.
Tools for measurement and calibration share a common characteristic: it must be possible to
operate the tool in a vehicle while the vehicle is manoeuvred across a (in some cases difficult) test
track or even a public road.
Sine inside a car usually no space for a PC mouse is available, the tools are required to be fully
controllable by means of the keyboard. Some tools provide audible interfaces for providing
information for the user. In addition, there is a growing demand for other I/O devices such as e.g. a
head-up display of selected program outputs.
The main use of tools for diagnostics is to support probing production ECUs built into series-
production vehicles. The function of these tools is to describe the diagnostics-relevant information
contained in a specific type of ECU such that it is possible to configure a tester device in a
workshop.
The tester device is used to actually probe the ECU and e.g. retrieve the contents of the built-in
fault storage. Please note that the consideration of tester devices or software products that
emulate tester devices is out of scope of this document.
Another use case would be the specification of EOL programming for ECUs. By this means it is
possible to adapt the behaviour of a particular ECU to the type of vehicle (or maybe, the individual
vehicle) it is attached to.
This category is populated by tools than contribute to the analysis of automotive software systems.
This could be, for example, the analysis of communication behaviour of a specific CAN bus.
Furthermore, tools for verifying the consistency of certain model descriptions used in the
automotive domain as well apply to this category
The development of automotive software is tightly connected with the usage of process tools. The
latter are used to implement or support a particular development process.
Especially the provision of calibration data management (CDM) is of steadily growing importance
for the automotive software development.
Although not typically developed for the automotive domain, development systems like compilers
and linkers are indispensable for the creation of automotive software. Please note, however, that a
large number of development environments for the typical microprocessor platforms used in the
automotive domain is available on the market.
The description of each and every relevant product is beyond the scope of this document.
Therefore, the selection of development environments referenced in this document is intended to
give some indications of popular development environments as well as some interesting features
(e.g. integrated MISRA checker, analysis of static stack utilization) concerning the design of
integrated safety systems.
Legislation
ECE Regulation 10 [3] is concerned with the Type Approval of vehicles with regards to
electromagnetic compatibility. It applies to vehicles and/or electronic subassemblies unless the
vehicle and/or subassembly and/or electrical/electronic system does not contain an electronic
oscillator with an operating frequency greater than 9 kHz.
The Regulation sets limits on emissions behaviour for all electrical/electronic systems (subject to
the previous statement) and on immunity behaviour for all systems that could affect the direct
control of the vehicle and its functions by the driver or as observed by other road users.
Whilst this Regulation now effectively applies to all electronic systems, some other Regulations
(e.g. Regulation 13 [4], Regulation 79 [6]) still contain earlier statements of performance with
regard to EMC. It can now be assumed that any approval authority would expect Regulation 10 to
be applied as the means of conformance with these requirements.
ECE Regulation 10 is implemented in European law as Directive 95/54/EC [12]. This Directive is
being updated and a new version will become effective at the end of 2005. ECE Regulation 10
should be updated in due course. Two significant changes to the updated vehicle EMC legislation
should be noted:
It will require that vehicle systems demonstrate immunity to the
wanted signals from radio transmitting equipment installed in the
vehicle
The definition of systems that must demonstrate immunity is
expanded to include:
Legislation
ECE Regulation 13 [4] is concerned with the Type Approval of vehicles with regards to braking.
Annex 18 of the regulation is titled Complex electronic systems. Complex in this context refers
to systems where there is a hierarchy of control, such that lower level functions can be over-ridden
by higher level functions. This Annex includes a requirement for the manufacturer to demonstrate
their safety concept to the Approval Authority, which means the design decision made for the
system to fail safe or be fault tolerant and an overview of the means by which this is achieved. In
practical terms this Annex is being applied to any electronic system that can modify the drivers
braking demands or activate the brakes independently of the driver, including systems such as
ABS, ACC and stability control.
ECE Regulation 13 is also implemented in European law as Directive 71/320/EEC, last modified by
2002/78/EC. The latter does not include the complex electronic systems annex.
Legislation
Regulation 48 [5] is concerned with the Type Approval of vehicles with regards to the installation of
lighting and light-signalling devices. Whilst this Regulation is principally concerned with visibility
and positioning of external lighting, there are provisions on the operation of tell-tale (warning)
devices, interconnection of lighting and operation of exterior lights that may need to be considered
in the design of a system. These requirements are mostly functional, but see Section 2.2.1.
In European law these systems are covered by Directive 76/756/EEC as amended by 97/28/EC.
Legislation
Regulation 79 [6] is concerned with the Type Approval of vehicles with regards to steering
equipment. Vehicles are not permitted to have a steering system that relies on a purely pneumatic,
purely electric or purely hydraulic transmission of the steering forces; apart from:
Auxiliary steering equipment (effectively rear wheel steering) for
categories M (passenger vehicles) and N (goods vehicles), which
can rely on electric or hydraulic transmission
Steering for vehicle category O (trailers), which can rely on hydraulic
transmission.
A purely X transmission means that at some point in the transfer of commands from the driver
input to the road wheels the forces are transmitted by a means which is entirely X with no
mechanical transmission involved.
This Regulation therefore does not allow the steering commands to be transmitted by purely
electrical means (or other non-mechanical means). Work in the ECE GRRF will shortly lead to a
new version of this Regulation in which the need for a mechanical link is removed, thus providing
scope for the approval of a broad range of steering systems from traditional mechanical through
steering assist through to steer-by-wire. In addition there will be a new Annex 6 of the Regulation
on Complex electronic systems similar to Regulation 13.
In European law steering systems are covered by Directive 70/311/EEC as amended by
1999/7/EC.
Legislation
Regulation 97 [7] is concerned with the Type Approval of vehicles with regards to alarm systems.
Whilst its requirements are mostly functional, there is a requirement that an alarm system should
not affect the vehicle operation or its safe performance. See also Section 2.2.1.
In European law security systems are covered by Directive 74/61/EEC as amended by 95/56/EC.
Legislation
Regulation 100 [8] is concerned with the Type Approval of battery electric vehicles. Its
requirements are concerned with construction and with functional safety. Functional safety in the
context of the Regulation is concerned with the types of safety functions that are required (e.g.
warnings and interlocks) rather than how they are implemented.
Legislation
The European statement of principles on HMI [9] is a set of recommendations on the essential
safety aspects to be taken into account in designing the human-machine interface (HMI) for in-
vehicle information and communication systems. Whilst largely concerned with the location of
displays or controls, and the presentation of information on them, it also covers design aspects
such as system interaction so that the driver maintains safe control of the vehicle under all
circumstances, feels comfortable and confident with the system and is ready to respond safely to
unexpected occurrences.
Legislation
The RESPONSE projects have been included under legislation as, while they are European
collaborative research projects, they have been identifying the need for legislation to adapt to the
development and deployment of advanced driver assistance systems (ADAS).
RESPONSE 1, Project TR4022 in the Transport Sector of the Telematics Applications Programme,
ran from August 1998 to September 2001.
The project adopted an integrated approach towards user, system, and legal perspectives. The
final report concluded that ADAS remain manageable from the legal perspective and the users
viewpoint only as long as they can be controlled and/or overruled by the driver at any time.
However, once assistance systems are developed that cannot be overruled by the driver (or which
would require a reaction time to do so that is beyond human performance limits), then the driver
could not be held liable if they were unable to control the system. RESPONSE showed that this
would mean a greater emphasis on product liability, and the need for a clearly defined technical
and user centred development and testing process to reduce the risks for both the manufacturer
and the user of the system.
The project therefore recommended that there should be a clearer definition of the concepts of
reasonable safety and the duty of care, in order to legally protect the manufacturer and the
other stakeholders. Furthermore, methods need to be developed for gaining a deeper
understanding of the risks and opportunities of ADAS. These considerations need to be developed
into a Code of Practice for the technical and user-centred testing of ADAS.
RESPONSE 2, Project IST 2001-37528, ran from September 2002 to February 2004.
The project continued the work started in RESPONSE 1. Starting from the legal requirements of
reasonable safety and duty of care, the project sought to define them by agreement with
industry and other parties. The project also sought to move towards a Code of Practice for the
development and testing of ADAS from an integrated system safety and human factors viewpoint.
One of the major findings of the project was the need for a change of perspective from a product-
liability driven product development approach to one based on risk-benefit analysis and a Code of
Practice. Furthermore the project aimed to agree on requirements for the Code of Practice by
applying the definitions of reasonable safety and duty of care.
It was concluded that risk analysis is different from hazard analysis, and that there is no agreed
automotive process for performing risk analysis, nor for conducting a risk-benefit analysis on
ADAS.
RESPONSE 3 is part of the PReVENT Integrated Project. The project has three aims:
To develop a risk assessment procedure for next-generation sensors
within ADAS
To provide input on specific ADAS issues to the automotive version
of IEC 61508 being developed by FAKRA
To develop a Code of Practice for development and testing of ADAS.
In proposing a Code of Practice, all technical reliability and system safety issues will be assumed
to be covered by the future automotive specific adaptation of IEC 61508. The Code of Practice will
describe elements and phases for a human factors design process as part of the whole ADAS
development process. The Code of Practice will be applicable from the time that the first ADAS
concept development starts up to the commencement of vehicle production (Job #1).
University. The motivation for this work has largely been the US Department of Defense, in
seeking to improve the quality and uniformity of products and services it procures whilst
addressing the plethora of standards that exist.
CMMI brings together the older CMMs, namely:
Capability Maturity Model for Software (SW-CMM)
Systems Engineering Capability Maturity Model (SE-CMM)
Integrated Product Development Capability Maturity Model (IPD-
CMM)
The application of CMM and CMMI is perhaps best-known in the software context (ie from SW-
CMM).
Within CMMI there are four types of models:
software engineering
software engineering and system engineering
software engineering, system engineering and integrated product
and process development
software engineering, system engineering, integrated product and
process development and supplier sourcing
A CMMI model consists of model components called process areas, each of which contain a
purpose statement, introductory text, specific goals, specific practices, generic goals, and generic
practices. These model components are contained in both representations.
Each CMMI model has two representations, staged and continuous. Both representations of a
CMMI model contain nearly identical information. A representation reflects the organization, use,
and presentation of model components within a CMMI model.
The staged representation is intended for approaching process improvement step by step.
Process areas are grouped at maturity levels that provide organizations with a proven approach for
process improvement. The staged representation specifies the order in which each process area
is implemented according to maturity level and the necessary performance that has to be achieved
before moving to the next level. This staged approach focuses on total organizational
improvement using a proven building block approach.
The continuous representation is offered as an alternative but complementary approach to process
improvement. It is designed for organizations that want to focus on a particular process area or set
of process areas based on known issues in the organization or on the organizations business
objectives. The organization maps its process-improvement objectives to CMMI process areas to
identify which process areas to implement. As each process area is implemented, the specific
practices and generic practices are implemented incrementally according to capability level. The
continuous representation also allows an organization to implement different process areas at
different rates. In addition, the organization of the process areas in the continuous representation
is derived from ISO 15504 and permits alignment of the CMMI approach with the SPICE approach.
CMMI is not explicitly concerned with developing safety-related systems. Safety activities are
frequently mentioned as an example of activities that might have to be considered at various
stages. Examples include, but are not limited to:
Project management > risk management
Engineering > requirements development
Engineering > technical solution
Support > configuration management
The Automotive Special Interest Group of the Procurement Forum is developing guidance on
applying SPICE processes to the assessment of automotive software suppliers. A number of
European automotive OEMs are already requiring that their software suppliers be subject to SPICE
audits, and the intention of Automotive SPICE is to produce a common assessment framework that
is acceptable to all the OEMs. Thus, if a supplier has been assessed according to Automotive
SPICE and found to have a certain capability level, this is then acceptable to any OEM who
requires a supplier with a capability up to that level.
The work of the Automotive SPICE group is concerned initially with developing a unified framework
to the quality and development process attributes found in ISO 15504. CUS processes have
been replaced with ACQ (acquisition process). It is planned to address safety aspects at a later
stage.
Safety
IEC 61508 is an international standard with the title Functional safety of electrical, electronic and
programmable electronic safety-related systems [20]. Although IEC 61508 is a generic standard,
its origins are in the process control industry sector. The standard is intended to be used in two
possible ways:
As the basis for a sector-specific standard. Parts 14 of IEC 61508
have been designated a basic safety publication by IEC, which
means that they should be included in any sector instantiation of the
standard, with interpretation where appropriate;
As a standard to be applied directly, where no sector-specific
standard yet exists.
IEC 61508 was developed against the model of equipment [that is] under control, for example an
industrial process in a chemical plant; and of the safety functions that need to be applied to that
equipment. These safety functions may be part of the control system for that equipment, or they
may form a dedicated protection system. These are distinguished in the standard as continuous
(or high-demand) systems and on demand systems.
IEC 61508 sets requirements for the reliability of the safety functions, which is known as safety
integrity. In practice, safety integrity is classified into discrete levels called safety integrity levels
(SILs). Hazard analysis is used to identify the safety functions that are needed, and the SIL of the
system that performs them can be determined by classifying the severity of the hazards. The SIL
indicates the reliability that must be achieved where this can be calculated, for example, for
electronic hardware; or the degree of rigour that must be achieved in the design and
implementation measures in order to gain adequate confidence in the system. These measures
are usually those needed to reduce systematic faults such as software errors or (lack of)
electromagnetic immunity.
IEC 61508 is already being suggested as the standard to apply to automotive systems (but see
also Item 2.2.14). The IEC 61508 frequently asked questions (FAQ) [21] suggests that
automobile indicator lights, anti-lock braking and engine-management systems are examples of
safety-related systems and further suggests that ABS is an example of an on demand safety-
related system. However there are a number of issues with the direct application of the standard
in the automotive domain:
1. The term functional safety in IEC 61508 only refers to the safety of the equipment under
control and its control system that depends on the correct functioning of the electrical,
electronic and programmable electronic safety-related systems, other technology safety-
related systems and external risk reduction facilities. In many automotive systems, the
manufacturer needs to be concerned with the safety of the system due to its control
functions, not just the safety functions.
2. Methods for the determination of SILs (such as the risk graph) are only given as examples,
and versions for the automotive industry need to be developed.
3. Many of the techniques and measures recommended in IEC 61508 are very specific to the
industrial process control sector.
4. The model of validation in the standard does not align with the automotive industry
practices of prototype development and testing, and the automotive Type Approval
process.
5. Compliance with IEC 61508 requires a clause-by-clause demonstration of compliance with
the objectives of the standard that may not be possible if alternative techniques have to be
proposed in the automotive context.
There are however many useful techniques and concepts in IEC 61508, and the importance of this
standard cannot be underestimated. Nevertheless, further and not insignificant work is needed to
adapt it to the automotive domain.
Safety
Development Guidelines for Vehicle Based Software (better known as the MISRA Guidelines)
[22] was developed in the early 1990s by a UK-based consortium of automotive companies
representing vehicle manufacturers, the supply chain and researchers. The Guidelines were
written against the background of the development that was taking place on IEC 61508 and
acknowledged that, while the track record of the automotive industry in respect of embedded
software was good, a recognized industry position on embedded software development for safety-
related vehicle control systems was needed.
The team producing the Guidelines had access to draft material from the committees that
produced IEC 61508, and many of the concepts and principles in this standard are embodied in
the Guidelines. The Guidelines sought to incorporate these principles within the context of the
standard approaches for automotive engineering.
The notable approaches in the Guidelines are:
Safety
EN 50126 (Railway Applications: The specification and demonstration of Reliability, Availability,
Maintainability and Safety (RAMS)), EN 50128 (Railway Applications: Software for railway control
and protection systems), and EN 50129 (Railway Applications: Safety related electronic systems
for signalling) are a group of European standards dedicated to railway systems.
These standards describe processes to be followed in order to be able to assure the safety of
railway systems. EN 50126 [23] is the top-level document. It contains the overall process for the
total railway system and defines the Safety Integrity Levels (SILs). It gives the framework for the
more detailed activities, which are described in the accompanying documents EN 50128 [24] and
EN 50129 [25]. EN 50128 is the software specific part of EN 50129.
This family of standards is designed to be broadly consistent with IEC 61508 EN50126 und
EN50128 are based on earlier versions of IEC61508 and EN 50129 is based on the current
version. Hence, the contents are similar to those of IEC 61508. EN 5012x are customized for
railway applications and embodies good practice for both signalling and train-borne systems. The
requirements regarding techniques and methods that should be used for the different SILs are
tightened such that some methods are now highly recommended for SIL 3 whereas these
methods are only recommended at SIL 3 in IEC 61508.
2.2.16 DO-178B
Safety
The purpose of the RTCA document DO-178B Software Considerations in Airborne Systems and
Equipment Certification [26] is to provide guidelines for the production of software for airborne
systems and equipment that performs its intended function with a level of confidence in safety.
The guidelines give:
Safety
The SAE Standard ARP 4754 Certification Considerations for Highly-Integrated Or Complex
Aircraft Systems [27] discusses the certification aspects of highly-integrated or complex systems
installed on aircraft. The term highly-integrated refers to systems that perform or contribute to
multiple aircraft-level functions. The term complex refers to systems whose safety cannot be
shown solely by test, and whose logic is difficult to comprehend without the aid of analytical tools.
The document addresses the total life cycle for systems that implement aircraft-level functions. It
excludes specific coverage of detailed systems, software and hardware design processes beyond
those of significance in establishing the safety of the implemented system. The focus is toward
ensuring that safety is adequately assured through the development process and substantiating
the safety of implemented systems. It contains detailed instructions on how to integrate various
assessments into the system development process to ensure freedom from safety critical design
and implementations flaws.
Figure 30 below outlines the relationships between various documents providing guidelines for
system development, safety assessment, and the hardware and software life-cycle processes:
Intended
Function, Failure System Design
Aircraft and Safety
Function Information
Functional
System Development System
Processes
(ARP 4754)
Aircraft System Functions and
Development Requirements Implementation
Process
Aircraft functions
Aircraft Level
Aircraft Level
FHA
Functional
Failure condition, Effects,
Requirements
Functional
Classification, Safety Requirements
Failure
Conditions Allocation of
& Effects
Aircraft Functions
System Level system functions
to Systems
FHA Sections
Failure condition, Effects,
Classification, Safety Requirements
Development
Separation of System
Architectural Requirements
CCAs Requirements Architecture
PSSAs system architecture
Allocation of Item
Item Requirements Requirements to
Item Requirements, Hardware and
Safety Objectives,
Analyses Required Software
Separation &
System
Verification SSAs
implementation
Implementation
Certification
2.2.18 MIL-STD-882D
Safety
This standard practice for system safety [29] is issued by the US Department of Defense (DoD)
and describes an approach for managing mishap risks in DoD systems regardless of their
implementation technology. It provides requirements for the identification and evaluation of mishap
risks, and for mitigating these risks to an acceptable level. The actual requirements that have to be
met if conformance to MIL-STD-882D is to be claimed are covered on two pages, with the rest of
the 26 pages providing guidance, definitions and other supportive information.
The most important part of the standard, i.e. the actual requirements, defines the system safety
activities that shall be performed. There is an emphasis on organizational and procedural aspects
rather than technology-related details.
Safety
The MATISSE project [30] had the objective of developing industrial-strength methods and
associated technologies for the engineering of software-based critical systems. This was achieved
in practice by recommending a process based on the use of formal mathematical methods.
The project partners were Aabo Akademi University, ClearSy, CNRS-TIMA Laboratory Grenoble,
Gemplus, Siemens Transportation Systems, University of Southampton and QinetiQ.
The project produced the MATISSE Handbook showing how the formal mathematical methods
proposed could be incorporated into the product engineering lifecycle for safety-related systems.
The handbook includes material provided from the separate perspectives of the executive board of
an organization, the project manager and the practitioners responsible for the design and
implementation.
The project recommendations are based on analysis and experiences of three industrial case
studies developed as part of the MATISSE project:
automatic transportation system (actually part of an automated
railway control system);
multi-application smartcard embedded byte-code verifier;
Safety
The overall goal of the SETTA project [31] was to push time-triggered systems - an innovative
European-funded technology for safety-critical, distributed, real-time applications such as fly-by-
wire or drive-by-wire - into future vehicles, aircraft, and train systems. To achieve this goal, SETTA
focused on the systems engineering of time-triggered systems. The SETTA consortium consisted
of leading European companies in the transport and component supplier sector (DaimlerChrysler,
Renault, Airbus Germany, Alcatel Austria, and SiemensVDO), innovative European high tech start-
ups (TTTech, DECOMSYS), and universities with an excellent reputation in real-time (University of
Technology at Vienna) and safety-critical systems (University of York).
A key feature of the SETTA methodology is virtual prototyping. Time-triggered systems are, in
contrast to event-triggered systems, fully predictable in their run-time behaviour. SETTA exploits
this property for advanced system modelling. Simulation building blocks for the Matlab/Simulink
environment were developed by DECOMSYS (product name: xCom) which model the
communication behaviour of time-triggered systems. Based on these building blocks, virtual
prototypes of distributed, embedded systems - e.g., a brake-by-wire system - can be easily
realised. Various properties of the embedded system, e.g., the accuracy of distributed control
algorithm, or the correctness of fault-tolerance strategies, can be analysed before a physical
prototype is built.
Further tool components were developed in the course of the SETTA project to increase the
maturity of virtual prototypes. A verification tool developed by TTTech (product name: TTPVerify)
checks the correctness of scheduling configuration files. The verification tool will be certified with
respect to Federal Aviation Administration (FAA) standards. A prototypical worst-case execution
time analysis tool (WCET) from the Technical University of Vienna calculates the worst-case
execution time of programs statically. This tool is tightly integrated into the Matlab/Simulink
environment and supports WCET analysis on the modelling level. Two target processor
architectures - Motorola M68000 and Siemens C167CR - are supported.
A further objective of the SETTA project was better integration of functional development and
safety analysis. A prototypical fault-tree synthesis tool set has been developed by DaimlerChrysler
in co-operation with the University of York. The synthesis algorithm performs a backward traversal
of the data flow graphs given by the virtual prototype. Finally, a robustness analysis tool from
DaimlerChrysler helps to identify design errors in stateflow components of virtual prototypes.
The SETTA methodology and the corresponding tool components were evaluated by pilot
applications from the automotive, aerospace, and railway domain. The automotive validator is a
brake-by-wire system combined with an adaptive cruise control system, implemented by
DaimlerChrysler, Renault and SiemensVDO. Two control loops are closed by a time-triggered
communication system: firstly, the basic control loop between braking pedal and brake actuator,
and secondly, between brake system and adaptive cruise control system. The aerospace validator,
which has been developed by Airbus Germany, is a cabin pressure regulation system which
controls the pressurisation of the cabin via out flow valves. Their opening will be commanded
according to the desirable pressure in the cabin. Since the pressure regulation in the entire cabin is
safety critical, it operates fully automatically. The automotive and aerospace validator were
developed firstly as virtual prototypes and secondly as physical prototypes. Alcatels railway
validator covers a redesigned Field Element Controlling (FEC) subsystem of Alcatels electronic
interlocking system ELEKTRA. The railway validator is used for the evaluation of the WCET
analysis tool and the schedule verification tool.
Safety
ESACS (Enhanced Safety Assessment for Complex Systems) is a European GROWTH project
running from 2001 to 2003. The technical and scientific objectives of ESACS are to define a
methodology to improve the safety analysis practice for complex systems development, to set up a
shared environment based on tools supporting the methodology, to validate the methodology
through its application to case studies. The environment between design and safety will consist of
tools to generate parts of the safety analysis using information extracted directly from the system
model and of a repository including all the safety information related to the complex system under
development.
Current development processes are characterized by the fact, that on the one hand, models are
developed by the system design engineer to specify and to analyse the expected behaviour of the
system under consideration. This is done on different levels of abstraction resulting in
requirements models or lower level architectural models.
On the other hand, the envisaged system is analysed by safety specialists with respect to
malfunctions (unintended behaviour). The safety analysis, performed at each stage of the system
development, is intended to identify all possible hazards with their relevant causes. Among
common safety analysis methods are Functional Hazard Analysis, Failure Mode and Effect
Analysis (FMEAs) and Fault Tree Analysis (FTA). Partly, mathematical methods are used (FTA,
stochastic models such as Markov Processes).
Currently, effects of erroneous behaviour are mostly determined by engineering judgement and
verified by testing. The accurate engineering judgement is becoming more and more difficult: the
number of possible system states increases due to digital controllers and due to increasing
interaction between different aircraft system which involves a risk of interaction failures. Often the
classification of effects is too pessimistic: a worst case consideration is made resulting in
additional redundancies raising the price of the resulting system in an unnecessary way.
Currently, information between system engineer and the safety analyst about the same system is
exchanged by means of paper: i.e. information about the system behaviour given by text or by a
model is first interpreted by the safety analyst and in a next step FMEAs or FTA are performed
(supported by other tools). This type of information processing is error-prone, implies duplication
of efforts in modelling the system (once for the design and once for the safety) and also delays the
identification of the system problem areas. In fact, in this way, the safety process is slightly
delayed in respect to the design process.
A solution to these problems is to perform the safety assessment analysis in some automated way
directly from the system functional model. This means that the models used for the design of the
system must be enriched with safety information/requirements and with simulation
methods/checkers and tools to help to realise a correct and effective safety assessment analysis.
The main innovations and benefits coming out of this project are the following:
The integration of the safety and design/development processes will
be enhanced
Traceability of safety issues during the complex system development
will be improved
Computer aided analysis helps to master complexity
Worst case considerations in FMEAs and FTA can be avoided
Weak points that are difficult to detect by engineering judgement can
be revealed in the early phase of design
The activities of designing and doing safety analysis can be done
more easily in an iterative manner which result in a more effective
development process, where the results of the safety analysis can
influence the design in short period of time
All these points will lead to a higher level of confidence in the certification process.
Some of the ESACS deliverables are publicly available at www.esacs.org:
Deliverable 1: Requirements for improving the safety process on
Complex systems and definition of the tools integration concepts,
May 2001.
Deliverable 4: Formal notations suitable to express safety properties
identified, September 2001.
Deliverable 6: Safety techniques for complex systems, October
2001.
Deliverable 7: Tools for performing safety analysis starting from the
design system model, February 2002.
Deliverable 14: Results of methodology application on cycle 1 case
studies, April 2003.
Deliverable 18: Results of methodology application on cycle 2 case
studies, October 2003.
Safety
ISAAC (Improvement of Safety Activities on Aeronautical Complex systems, FP6-2002-Aero-1-
501848) is a follow-up project of ESACS.
The FP5 project ESACS has shown the benefit of using formal techniques to assess aircraft
safety. ISAAC builds upon and extends the results of ESACS to go a step further into the
improvement and integration of safety activities of aeronautical complex systems. Potential
benefits range from higher confidence in the safety of systems to increased competitiveness of
European industries.
To reach the goals mentioned above, ISAAC will focus on the following three dimensions:
Extension of formal techniques to deal with human error, common
cause analysis, mission analysis, and testability. This will help
providing a more comprehensive tool-supported coverage of the
safety analysis process.
Improvement of the ESACS notations to represent safety
requirements and qualitative (timing) and quantitative aspects. This
will help improving interaction and increasing the quality of the
results provided by tools.
Integration, achieved through common methodological
recommendations and shared libraries and interfaces. This is one of
the keys to improve, e.g. the efficiency of industrial processes, that
more often rely on the use of different tools.
ISAAC's results will be used by the partners to improve their safety process for their present and
future programs. The results will also be disseminated to other areas, like, e.g., transportation
(railway and automotive), industrial process control, energy production.
2.2.23 ASCET-SD
ASCET-SD [41], [42] is developed by ETAS GmbH (Stuttgart, Germany). It is used to create an
abstract model-based description of the functionality of an ECU and generate optimized target
code based on the model specification.
ASCET-SD pursues an object-based approach to functional modelling. The main modelling
elements are modules and classes. Classes (e.g. a filter algorithm or a PID controller) can be
multiply instantiated (in a particular model) and each instance independently parameterized. By
this means the creation of lean model descriptions is possible.
The currently available version of ASCET-SD is V4.2. According to the vendor, the main benefit of
ASCET-SD is the abstract model description in the physical domain. The transformation to the
limited numerical capabilities of a typical microcontroller is supported by the definition of
conversion formulae between the physical and the raw data domain as well as the ASCET-SD
code generator.
The latter can be used either to create code for particular functions that can be added to manually
created code projects or as an integration platform for the creation of the entire ECU software incl.
the necessary OSEK RTOS. The first use case mentioned above is also known as the additional
programmer scenario.
Furthermore, the tool supports a smooth transformation of the abstract model to the ECU target by
providing simulation experiments on different levels of abstraction (i.e. physical, quantized, integer
arithmetic). Simulation experiments can be carried out in real-time on the so-called ES1000
development and experiment platform. The latter can also be used to set up bypass applications
for the stepwise development of ECU software.
The executable code generated by ASCET-SD is accompanied by a corresponding ASAM MCD
2MC description. For more information about the range of supported microcontroller target please
consult the ETAS website.
Please note that particular versions of ASCET-SD have recently been certified according to the
IEC61508 standard for safety-related applications.
2.2.24 AutoFOCUS
2.2.25 DECOMSYS::SIMCOM
Furthermore, fault injection interfaces are provided. By this means the robustness of control
algorithm with respect to channel loss, node loss, message loss, frame disturbance, etc. can be
studied.
Since the FlexRay communication system has been developed with special emphasis on safety-
critical applications, it is highly relevant for the EASIS project.
2.2.26 MATLAB/Simulink/Stateflow
2.2.28 SCADE
2.2.30 TargetLink
Furthermore, a whole blockset is provided for adapting particular model functionality to the
requirements of series code. TargetLink provides means for simulating the generated code in a
PC-hosted environment. Furthermore, the generated code can be optimized with respect to target-
specific characteristics. This feature is called target-awareness.
Simulink models can be converted to TargetLink models and vice versa. According to dSPACE,
the code generated by TargetLink is conform to the vast majority of MISRA C [34] rules.
Exceptions from the rules are identified and documented.
Drives seamless software development process from requirements to code generation increases
productivity and assures meeting the highest quality standards. SCADE Drives efficient generated
source code is MISRA-compliant and IEC 61508 SIL Level 4 certification is in progress. For critical
embedded software that must perform perfectly the first time and every time, the SCADE proven
development environment is the choice of industry leaders.
2.2.34 CANoe
Automotive tools > Design tools > Infrastructure and middleware design
The main purpose of CANoe [53] (Vector Informatik GmbH, Stuttgart, Germany) is the
development of communication networks for automotive systems . According to the vendor, the
major application areas are:
Communication design/model creation: definition of the
communication matrix.
Communication validation: provide a reliable simulation platform for
bus communication.
Remaining bus simulation/functional test: CANoe simulations can be
seamlessly combined with existing ECUs. By this means parts of the
bus are actual existing while others are simulated by CANoe.
Diagnostics: analysis of diagnostics communication.
Distributed development/integration: mutually independent and
parallel development of network nodes
CANoe supports various communication protocols such as CAN [54], [56], LIN, MOST, FlexRay,
etc.. The behaviour of the ECU code is accurately simulated down to the consideration of RTOS
activities. For this purpose Vector provides the osCAN library that enables the operation of OSEK-
based applications as part of CANoe simulation experiments.
5.8.2004 Version 1.0 90
EASIS Deliverable D0.1.2
2.2.35 DECOMSYS::DESIGNER
Automotive tools > Design tools > Infrastructure and middleware design
DECOMSYS::DESIGNER is the fundamental tool for design- and configuration tasks in the entire
DECOMSYS FlexRay toolchain.
In this context, the tool is used to describe the system structure (i.e. nodes, controller, busses) as
well as the data flow (signals, relationships between sender and receiver, etc.) among the nodes
based on a block structure.
Furthermore, it is possible to add scheduling information for the bus system (the cluster). Then, the
dataflow graph must be mapped to the hardware structure.
Code generation of configuration files, the FTCom layer, and documentation can be carried out on
the basis of the information gathered in DECOMSYS::DESIGNER.
The workflow in DECOMSYS::DESIGNER is supported by various wizards, e.g. for defining the
bus schedule. A property view for getting detailed information about particular objects is also
provided.
2.2.36 DaVinci
Automotive tools > Design tools > Infrastructure and middleware design
The DaVinci tool suite [55] (developed by Vector Informatik GmbH, Stuttgart, Germany) can be
used to:
Develop complex distributed automotive software systems on the
basis of reusable software components.
Perform the integration of reusable software on a single ECU and
automatically create required communication middleware as well as
the configuration of the underlying OSEK RTOS.
DaVinci (currently available as V1.0) provides abstract modelling means for the formal
specification of reusable vehicle functions. A collection of vehicle functions (in DaVinci terminology:
software components) can be compiled to form the software architecture (or: software system) of a
specific vehicle.
Furthermore, it supports the specification of the hardware topology (i.e. ECU, bus, sensor,
actuator) thus defining a so-called hardware system. The combination of software system and
hardware system (mapping system) is the basis for the concrete realization of a specific ECU
functionality.
For this purpose the behaviour of software components must be specified by either direct C coding
or the usage of BMT and accompanying code generators. For sensors and actuators, ECU-specific
firmware must be provided.
A code generator is subsequently used to integrate both software components and firmware with
the RTOS and the communication middleware.
The code can be generated for either a PC-based experimental system based on CANoe (see Item
2.2.34) or (with identical functionality) directly for the target ECU.
The DaVinci methodology is based on a formalized approach. Therefore, models can be validated
against the formal methodology. For this purpose a multitude of validation checkers is provided as
part of the tool suite. The user gets detailed information about potential violations of modelling
constraints. This is a major prerequisite for building safety-related applications.
DaVinci supports a distributed development process based on the exchange of XML documents
and/or the usage of a configuration management tool. The main area of application is currently
body electronics but the methodology is not limited to this domain and can be extended to other
application domains (e.g. Telematics, power train).
2.2.37 TTP-Plan/TTP-Build
Automotive tools > Design tools > Infrastructure and middleware design
TTP-Plan [57] (provided by TTTech Computersysteme AG, Vienna, Austria) is a tool for designing
the global timing and communication pattern of a TTP bus.
According to the vendor, the composability and modular testability of systems based on the time-
triggered approach relies on a correct and complete specification of the system-wide
communication schedule both in the value and time domains.
TTP-Plan is used to create such a schedule by means of a graphical user interface or
import/export interfaces. Furthermore, the design can be checked for correctness and the
properties of the network (e.g. bus utilization, etc.) can be visualized on demand.
Individual nodes can be designed using the TTPBuild tool [58]. This affects in particular the
scheduling of tasks and the generation of the OS configuration.
2.2.38 VNA/LNA
Automotive tools > Design tools > Infrastructure and middleware design
The Volcano Network Architect (VNA) [59] as well as the analogous tool for LIN, LIN Network
Architect (LNA), is provided by the Volcano Automotive Group (Gteborg, Sweden).
According to the vendor, VNA is a standalone offline tool, providing a user-friendly Windows
interface for logically describing and configuring CAN and LIN networks at a high abstraction level.
In a nutshell, the Volcano approach for middleware development is to establish a holistic
mathematical model of the entire communication processes on a specific bus. Based on this
model, it is then possible to assign certain time slots to different messages in order to avoid
collisions and thus remove the need for arbitration.
By this means, according to Volcano Automotive, it is possible to set up a deterministic and reliable
communication scheme even for CAN communication. For implementing the results of the
mathematical communication model, as special code generator (the offline tools) to create the
communication middleware has been realized.
2.2.39 RT-Builder
Automotive tools > Design tools > Infrastructure and middleware design
Commercial product overview [60]:
RT-Builder is one of the most advanced solutions for Real-Time design, modeling and analysis of
complex, multi-processors and multi-bus systems and software.
For complex and critical real-time system and software design, RT-Builder is an environment for
specifying, modeling and analysing control and data-oriented fonctions.
With RT-Builder, users can model, simulate, formally verify and executable specifications and
prototypes of their systems prior to HW availability, and of course generate design documentation.
RT-Builder is the unique tool supporting both asynchronous and synchronous aspects of real-time
developments thanks to its GALS (Globally Asynchronous Locally Synchronous) approach, and
managing both control and data-flows.
RT-Builder comes with existing libraries modeling advanced Real-Time Operating Systems
(RTOS) and Bus libraries: ARINC653 for Integrated Modular Avionics, CAN, OSEK, FlexRay
5.8.2004 Version 1.0 92
EASIS Deliverable D0.1.2
standards for Automotive. These libraries can easily be customized or extended to integrate
dedicated needs or provide a powerful support of customers real-time choices.
With RT-Builder, users can model and manage interactions between control and data functions,
but also concurrency, multi-tasking, pre-emptive actions, shared resources, event routing and
filtering, FIFO buffers, point-to-point data propagation time.
2.2.40 CalDesk
2.2.41 CANape
2.2.42 INCA
2.2.43 Marc I
2.2.44 TTP-Calibrate
2.2.46 LabCar
CANdela Studio [69] is developed and distributed by Vector Informatik GmbH. It features the
detailed description of diagnostic telegrams for various diagnostics protocols. Furthermore, it
provides a template mechanism by which means the tool can be adapted to specific customer
requirements.
CANdela Studio is tightly integrated with the CANdesc diagnostics embedded software component.
A code generator provides means for automatically generate and configure an instance of
CANdesc according to the description of diagnostics telegrams carried out by means of CANdela
Studio.
Furthermore, the tool is integrated with the CANoe tool. By this means the user has full access to
the diagnostics interface of (simulated) ECUs. As mentioned before (see Item 2.2.41), CANdela
studio collaborates with CANape by providing a diagnostics view for the latter.
2.2.49 CANalyzer
2.2.50 FaultTree+
FaultTree+ is used in all the safety process during safety assessment activity. The analysis is more
and more deep (fault tree more detailed) as the system development progresses. The main
modelling capability of FaultTree+ is pictorial representation of fault trees. FaultTree+ supports the
following quantitative failure models:
fixed unavailability and failure frequency model
constant failure and repair rate model
mean time to failure and repair model
dormant failure with periodic inspection model
sequential failure model
event tree initiator model
standby model
uncertainty values
The analyses supported by this tool are:
cut sets (qualitative analysis)
calculation of system unavailability and related parameters (e.g. total
system down time, number of failures over the observation time, etc.)
calculation of gates probabilities
importance analysis (e.g. Fussell-Vesely, Birnbaum, etc.)
time-dependent, sensitivity and confidence analysis
common cause failures
Event trees describe scenarios where more than one top level event occurs. This analysis
complements FTA because across-fault-tree dependencies can be visualized and computed.
2.2.51 IQ-FMEA
The definition of system structure and functions serve the purpose of deriving an extensive
collection of failure modes. Thus failure modes are derived from component function. The
easiest way to do so is to negate the functions: function component delivers output,
negation component does not deliver output.
Each malfunctions is thus associated with a function and via the function with a system
component.
The user can construct a kind of failure network in order to represent the dependencies
between malfunctions. IQ-FMEA supports a forward approach in order to generate the
FMEA formsheet, however the resulting failure net can be displayed as a preliminary fault
tree (this kind of tree is different form the fault tree used in FTA as this tree is not
generated in a top-down analysis of the system) which can hold the information of AND and
OR gates, but will only compute the OR-Logic.
4. Quantitative Analysis
Given failure rates and repair rates for every leaf in the fault tree, the values for
malfunctions of the system can be computed.
5. Concept optimization and definition of counter measures
For each system component a FMEA table will be automatically created. The user has now
to include suggestions for possible counter measures by which the failure can be prevented
or detected.
2.2.53 ORA
2.2.55 PC-lint
2.2.56 SARAA
2.2.57 StackAnalyzer
The StackAnalyzer (provided by Vector Informatik GmbH) provides resources for determining the
stack usage of individual functions. By this means potential stack overflows can be detected and
avoided.
The result of the analysis is provided graphically in form of a function call tree. By this means
developers can conveniently browse the stack requirements of individual functions called by the
application software.
Please note that the availability of the StackAnalyzer is limited to certain microprocessor platforms,
i.e. Infineon C16x, Motorola MPC5xx and 68HC12, STMicroelectronics ST10.
2.2.58 SQMlint
2.2.61 TTP-Verify
5.8.2004 Version 1.0 99
EASIS Deliverable D0.1.2
2.2.63 Polyspace
Polyspace Auditor Edition. Source code verification for software applications that have to comply
with embedded system industry standards (DO-178B, MISRA). Fast, easy to use, repeatable and
low cost acceptance criteria for software applications. Includes:
Verification of compliance with standards through static analysis
Precise and automatic identification of software reliability breaches
Multi-task analysis for control and data coupling verification
Support documentation to meet with independent quality control
procedures
Qualification package upon request
Available for Ada, C++ and C development languages.
This tool permits the checking/validation of code with a simulation of the dynamic operation of a
program by mathematical algorithms, without execution of the code, and only the boundaries of
validity of the input and output signals are required.
This tool mainly identifies errors at run-time and dead code. It permits making the process more
robust.
2.2.64 eASEE
Automotive tools
Despite the trend to concentrate on the automotive core business, a multitude of companies still
use specially tailored in-house solutions developed in most cases by their own IT departments.
PSA use an in-house tool as part of the design process. The tool is used for the mapping of
functions on ECUs, and allows functional views for each ECU (internal and external functions), as
well as the resulting signals to be exchanged between ECUs.
PSA use an in-house tool for infrastructure and middleware design, which is a database of all the
frames of the communication system that have to be exchanged between ECUs
Although specific tools for measurement and calibration are available for many years now, the
share of in-house solutions of the overall "market" for measurement and calibration products is still
considered noticeably high. A similar trend may be observed for diagnostics tools.
3 Conclusions
3.1 Legislation
The present state-of-the-art is concerned with the Type Approval process that is aimed at
mechanically-based systems. The braking regulation contains an approval process for software-
based systems that is likely to be extended to other domains. The steering regulation is being
modified to permit approval of advanced systems. Work in research projects (notably the
RESPONSE series of projects) has identified the need for new processes and legislation to permit
the development and approval of advanced driver assistance systems. This is particularly
important in systems which may operate automatically without the possibility of the driver
overriding them (either because of their function or the reaction time involved).
The present state-of-the-art is concerned with attributes of the development process that are not
specifically concerned with safety. Safety attributes can be included, as has been done in the
space sector, but product assessment also needs to be included.
3.3 Safety
The concepts and principles of safety-related systems engineering are well known, and the most
relevant state-of-the-art is found in the MISRA Guidelines and IEC 61508. Several research
projects have looked at new techniques that can support the development of dependable
automotive systems. Further work is underway to adapt IEC 61508 specifically for the automotive
industry, and to transfer tools and techniques that have been successfully applied in other domains
(notably aerospace) to automotive systems.
3.4 Engineering
Each company (both OEM and supplier) has their own process and it is difficult to generalize a
state-of-the-art. However, these engineering processes have to be improved and adapted to the
requirements of Integrated Safety Systems of to meet future road safety targets. A gap analysis
has been presented of the way in which engineering processes need to be adapted.
For hardware and software, there are many different architectures in use ranging from vehicles
with few electronic modules through to luxury vehicles with many ECUs and several networks.
Standards are beginning to emerge for different safety aspects, notably in the powertrain and
chassis domains.
The evolution of automotive tools with respect to the emerging trend to use model-based design
methodologies facilitates the concentration on the actual engineering problem to solve. For
integrated safety systems, this trend obviously comes out right in time.
In particular, the following conclusions can be derived from the state-of-the-art of automotive tools:
The design of integrated safety systems should be based on as much as possible formal
and verifiable model descriptions (as opposed to the manual creation of source code
according to a prose requirements document).
5.8.2004 Version 1.0 103
EASIS Deliverable D0.1.2
The usage of simulation experiments, (formal) model checkers and/or modelling guidelines
is highly recommended.
The usage of automatic code generators is supposed to further contribute to reliability and
safety aspects of ECU software.
Of course, the test of ECU soft- and hardware using HIL technology is an important aspect
of integrated safety systems in terms of early elimination of potential hazards.
Some development systems (i.e. compiler, linker, etc.) provide some extended services
(e.g. MISRA checking, code coverage analysis) that are expected to have a positive impact
on the reliability of the integrated safety application.
4 Appendix
4.1 References
[1] IST Program EASIS project, Proposed structure for the state of the art deliverable of
D0.1, version 0.4, 12/2/2004, David Ward, MIRA.
[2] EAST-EEA project, Embedded Electronic Architecture, ITEA project 00009, Glossary, 30
October 2003.
[3] United Nations Economic Commission for Europe Regulation 10, Uniform provisions
concerning the approval of vehicles with regard to electromagnetic compatibility.
[4] United Nations Economic Commission for Europe Regulation 13, Uniform provisions
concerning the approval of vehicles with regard to braking.
[5] United Nations Economic Commission for Europe Regulation 48, Uniform provisions
concerning the approval of vehicles with regard to the installation of lighting and light-
signalling devices.
[6] United Nations Economic Commission for Europe Regulation 79, Uniform provisions
concerning the approval of vehicles with regard to steering equipment.
[7] United Nations Economic Commission for Europe Regulation 97, Uniform provisions
concerning the approval of vehicle alarm systems (VAS) and of motor vehicles with regard
to their alarm systems (AS).
[8] United Nations Economic Commission for Europe Regulation 100, Uniform provisions
concerning the approval of battery electric vehicles with regard to specific requirements for
the construction and functional safety.
[9] Statement of principles on human machine interface (HMI) for in-vehicle information and
communication systems, Official Journal of the European Communities, L19, pp. 64 68,
25 January 2000.
[10] RESPONSE Project information. <http://response.adase2.net/>
[11] UTMC 22 Project, Framework for the development and assessment of safety-related
UTMC systems. Available from <http://www.utmc.gov.uk/utmc22/pdf/utmc22-
framework.pdf>
[12] Commission Directive 95/54/EC adapting to technical progress Council Directive
72/245/EEC on the approximation of the laws of the Member States relating to the
suppression of radio interference produced by spark-ignition engines fitted to motor
vehicles and amending Directive 70/156/EEC on the approximation of the laws of the
Member States relating to the type-approval of motor vehicles and their trailers, Official
Journal of the European Communities, L266, 8 November 1995.
[13] CMMI Version 1.1, Carnegie-Mellon University, 2003.
<http://www.sei.cmu.edu/pub/documents/02.reports/pdf/02tr011.pdf>
[14] ISO/IEC TR 15504, Information technology Software process assessment (in 9 parts),
ISO, 1998.
[15] Automotive SPICE working group.
[16] A. Cass, C. Vlcker, L. Winzer, J.M. Carranza and A. Dorling, SPiCE for SPACE: A
Process Assessment and Improvement Method for Space Software Development, ESA
Bulletin 107, August 2001.
[17] C. Vlcker, R. Ouared, H. Steinen, Taking SPICE to the third dimension: adding risk
analysis to ISO 15504, 14th International Conference on Software and System
Engineering and their Applications (ICSSEA 2001), Paris, December 2001; available from
<http://www.synspace.com>
[18] H. van Loon, R. Dietze, F.A. Montero, Software reuse and SPICE for SPACE, SPICE
2003, ESTEC, Noordwijk.
[19] O. Benediktsson, R.B. Hunter and A.D. McGettrick, Processes for Software in Safety
Critical Systems in Software Process: Improvement and Practice, volume 6, issue 1, pp.
47-62, 2001, John Wiley and Sons Ltd.
5.8.2004 Version 1.0 105
EASIS Deliverable D0.1.2
[20] IEC 61508, Functional Safety of Electrical, Electronic and Programmable Electronic
Safety-Related Systems (in 7 parts), IEC, 19982000.
[21] IEC 61508 FAQs, <http://www.iec.ch/zone/fsafety/questions.htm>
[22] Development Guidelines for Vehicle Based Software, MIRA, November 1994. Also
available as ISO/TR 15497:2000.
[23] EN 50126, Railway applications The specification and demonstration of Reliability,
Availability, Maintainability and Safety (RAMS), CENELEC, 1999.
[24] EN 50128, Railway applications Communication, signalling and processing systems
Software for railway control and protection systems, CENELEC, 2001.
[25] EN 50129, Railway applications Communication, signalling and processing systems
Safety related electronic systems for signalling, CENELEC, 2003.
[26] DO-178B, Software Considerations in Airborne Systems and Equipment Certification,
RTCA, 1999.
[27] ARP 4754, Certification Considerations for Highly-Integrated Or Complex Aircraft
Systems, SAE, 1996.
[28] ARP 4761, Guidelines and Methods for Conducting the Safety Assessment Process on
Civil Airborne Systems and Equipment, SAE, 1996.
[29] US Department of Defense: MIL-STD-882D, Standard Practice for System Safety, 10
February 2000 (http://www.safetycenter.navy.mil/instructions/osh/milstd882d.pdf)
[30] MATISSE project, Methodologies and Technologies for Industrial Strength Systems
Engineering, IST Contract 11435, MATISSE Handbook for Correct Systems Construction,
April 2003.
[31] SETTA project, Systems Engineering for Time Triggered Architectures, IST Contract
10043, Final Document, 18 April 2002.
[32] UK Defence Standards: Def Stan 00-56, Safety management requirements for defence
systems (Parts 1 and 2); Def Stan 00-55, Requirements for safety-related software in
defence systems (Parts 1 and 2); Interim Def Stan 00-54, Requirements for safety-related
electronic hardware in defence systems (Parts 1 and 2). In each case Part 1 is the
requirements and Part 2 guidance.
[33] Hazard classification for moving vehicle hazards Controllability, MISRA Technical
Report, version 1, May 2004, available at <http://www.misra.org.uk>.
[34] Guidelines for the Use of the C Language in Vehicle Based Software, MIRA, April 1998.
[35] Verband der Automobilindustrie e.V. (VDA): Ensuring reliability of car manufacturers and
suppliers reliability methods and aids, VDA Series on Quality Management in the
Automobil Industry, Volume 3, Part 2, 2000. This document is only published in German:
Zuverlssigkeitssicherung bei Automobilherstellern und Lieferanten
Zuverlssigkeitsmethoden und Hilfsmittel, VDA Schriftenreihe Qualittsmanagement in
der Automobilindustrie, Band 3, Teil 2, 2000.
[36] Verband der Automobilindustrie e.V. (VDA): Quality assurance of suppliers, VDA Series
on Quality Management in the Automobil Industry, Volume 2, 3rd edition, 1998.
[37] Verband der Automobilindustrie e.V. (VDA): Ensuring quality during product realization,
methods and procedures System FMEA, VDA Series on Quality Management in the
Automobile Industry, Volume 4, Chapter 3, 2nd edition, 2003. This document is only
published in German: Sicherung der Qualitt whrend der Produktrealisierung, Methoden
und Verfahren System FMEA, VDA Schriftenreihe Qualittsmanagement in der
Automobilindustrie, Band 4, Kapitel 3, 2. Auflage, 2003.
[38] Verband der Automobilindustrie e.V. (VDA): Ensuring quality during product realization,
methods and procedures Fault Tree Analysis, VDA Series on Quality Management in
the Automobile Industry, Volume 4, Chapter 4, 4th edition, 2003. This document is only
published in German: Sicherung der Qualitt whrend der Produktrealisierung, Methoden
und Verfahren Fehlerbaumanalyse, VDA Schriftenreihe Qualittsmanagement in der
Automobilindustrie, Band 4, Kapitel 4, 4. Auflage, 2003.
[39] Verband der Automobilindustrie e.V. (VDA): Development of software dominated systems
Requirements for processes and products, VDA Series on Quality Management in the
Automobile Industry, Volume 13, 1st edition, 2002. This document is only published in
German: Entwicklung softwarebestimmter Systeme Forderungen an Prozesse und
Produkte, VDA Schriftenreihe Qualittsmanagement in der Automobilindustrie, Band
5.8.2004 Version 1.0 106
EASIS Deliverable D0.1.2
[47] Hoffmann, H.-P.: The automotive Approach to using Statemate MAGNUM and Rhapsody
MicroC, Whitepaper, I-Logix Inc., Andover, MA, USA,
<http://www.ilogix.com/whitepaper_PDFs/CONCEPT_TO_CODE.pdf>
[48] I-Logix Inc.: Statemate MAGNUM Product Brochure, I-Logix, Andover, MA, USA, 2003,
<http://www.ilogix.com/products/magnum/Brochure/StatemateMAGNUMBrochure(V3).pdf>
[49] dSPACE GmbH: More than just a Production Code Generator, product catalog, 2004,
<http://www.dspace.de/shared/data/pdf/katalog2004/dspace_catalog2004_targetimplemen
tation.pdf>
[50] Telelogic ObjectGeode, < http://www.telelogic.com/products/additional/objectgeode>
<http://www.asam.de/new/docs/P05-01-2MC-1-51.zip>
[65] Vector Informatik GmbH: CANape & CANape Graph User Manual, Version 5.0,
<http://www.vector-informatik.com/support/manuals/CANape_Manual_EN.pdf>
[66] ETAS GmbH: INCA Product Brochure, August 2002,
<http://www.etasgroup.com/downloads/inca_br_en.pdf>
[67] TTTech Computertechnik AG: Testing and Validating Time-Triggered Bus Systems, 2003,
<http://www.tttech.com/technology/docs/general/TTTech-TTP-Calibrate-and-TTP-
Verify.pdf>
[68] dSPACE GmbH: Cutting-Edge Systems for ECU/Controller Testing, product catalog, 2004,
<http://www.dspace.de/shared/data/pdf/katalog2004/dspace_catalog2004_ecu-
testing.pdf>
[69] Vector Informatik GmbH: CANdela Studio User Manual, Version 2.0, <http://www.can-
diagnostics.com/index.html??candela_studio.php>
[70] Vector Informatik GmbH: CANalyzer/DENalyzer User Manual, V4.1, <http://www.vector-
informatik.com/support/manuals/CANalyzer_Manual_EN.pdf>
[71] Fault Tree+ <http://www.isograph-software.com/ftpover.htm>
[75] Poledna, St.; Kroiss, G.: The Time-Triggered Communication Protocol TTPTM/C, Real-
Time Magazine, April 1998, <http://www.tttech.com/technology/docs/history/Real-Time-
Magazine_1998-04-The_Protocol_TTP-C.pdf>
[76] Programming Research Ltd, QA C and QA C MISRA
<http://www.programmingresearch.com>
[77] Polyspace Technologies <http://www.polyspace.com/datasheets/datasheets.htm>
[89] K-line: ISO 9141 Road vehicles -- Diagnostic systems -- Requirements for interchange of
digital information: <www.iso.org>
[90] KWP 2000 (Keyword protocol 2000): ISO 14230 Road vehicles -- Diagnostic systems --
Keyword Protocol 2000: <www.iso.org>
[91] Diagnostic on CAN: ISO 15765: <www.iso.org>
[92] ISO/ WD 15765-2 Road Vehicles - Diagnostic Systems, Part 2: Network layer services
June, 24th 1998: <www.iso.org>
[93] System safety in computer-controlled automotive systems, Nancy G. Leveson, SAE
Congress, March 2000. <http://sunnyday.mit.edu/papers/sae.pdf>
[95] Safeware: System safety and computers, Nancy G. Leveson, Addison-Wesley, 1995.
<http://www.safeware-eng.com/index.php/publications/booktoc>
[96] Software deviation analysis: A Safeware technique, Jon Damon Reese and Nancy G.
Leveson, AIChe 31st Annual Loss Prevention Symposium, Houston, Texas, March 1997.
<http://sunnyday.mit.edu/papers/cels97.pdf>
[97] Preserving system safety across the boundary between system integrator and software
contractor, Jeffrey Howard, SAE 04AE-144, 2004.
<http://www.safeware-eng.com/publications/04ae-144.doc>
[98] Product line approach to software development, Carnegie Mellon Software Engineering
Institute. <http://www.sei.cmu.edu/plp/plp_init.html>
[99] Software architecture technology initiative, Carnegie Mellon Software Engineering Institute.
<http://www.sei.cmu.edu/architecture/sat_init.html>
[100] Predictable assembly from certifiable components (PACC) initiative, Carnegie Mellon
Software Engineering Institute. <http://www.sei.cmu.edu/pacc/pacc_init.html>
[101] Reusable specification components for model-driven development, Kathryn Anne Weiss,
et al, INCOSE 2003. <http://sunnyday.mit.edu/papers/incose.pdf>
[102] Evolutionary Project Management & Product Development, Kai Gilb, 2003.
<http://www.gilb.com/Download/EvoProjectMan.pdf>
[103] A Requirements Modeling Framework for High Integrity Software-Intensive Automotive
Product Lines, Sushil Birla (General Motors), Ramin Tavakoli Kolagari (DaimlerChrysler),
MKWI 2004, Multikonferenz Wirtschaftsinformatik, Teilkonferenz 8: Software-Produktlinien,
2004-03-10.
[104] Completeness in formal specification design for process control systems, Nancy G.
Leveson, Proceedings of Formal Methods in Software Practice Conference, August 2000.
<http://sunnyday.mit.edu/papers/completeness.pdf>
[105] Completeness and consistency in hierarchical state-based requirements, Mats P.E.
Heimdahl and Nancy G. Leveson, IEEE Transactions on Software Engineering, May 1996.
<http://sunnyday.mit.edu/papers/mats-tse.pdf>
[106] Formal analysis of hierarchical state machines, Rajeev Alur, University of Pennsylvania.
<http://www.cis.upenn.edu/~alur/Talks/hsm03.PDF>
[107] M. Weber, J. Weisbrod, Requirements Engineering in Automotive Development:
Experiences and Challenges, IEEE Software, Jan/Feb 2003.
[108] Competitive Engineering, Tom Gilb, 2003.
<http://www.gilb.com/Download/CompetitiveEng.pdf>
[109] Making formal methods practical, Marc Zimmerman, et al, Digital Aviation Systems
Conference, Oct 2000. <http://sunnyday.mit.edu/papers/dasc-fm.pdf>
[110] Enhanced safety assessment for complex systems, ESACS Technical and scientific
objectives. <http://www.cert.fr/esacs/overview.html>
[111] How AP233 supports a systems engineering process, ISO.
<http://step.jpl.nasa.gov/AP233/>
[112] Requirements engineering knowledge management based on STEP AP233,
Heimannsfeld, K. and Mueller, D., IMW Institutsmitteilung Nr. 25, 2000.
<http://www.imw.tu-clausthal.de/inhalte/forschung/publikationen/
mitteilungen/25/pdf/2000_073_heimannsfeld.pdf>
[113] ISO STEP System Engineering Project (ISO 10303 AP233), PDES, Inc.
<http://pdesinc.aticorp.org/systems_engineering.html>
[114] Enhanced safety assessment for complex systems, ESACS Technical and scientific
objectives. <http://www.cert.fr/esacs/overview.html>
[115] QFD for software development considering future design risks, Yuji Kyoya, et al, Software
th
Engineering Center, Toshiba Corporation, Japan, 9 International symposium on QFD,
2003.
[116] Advanced design tools for safety critical software, SAFEAIR II, IST-2001-34263. Project
URL: http://www.safeair2.org/download/34363_safeairii_project_pres_v1-0b.doc
[117] Formal verification of reactive system designs overview, Dr. Bernhard Josko, et al.
OFFIS project. <http://www.safeair.org/safeair/workplan/overview_verification_talk.pps>
[119] FAR EAST: Modeling an automotive software architecture using the EAST ADL, Henrik
Loenn, et al. <http://www.mrtc.mdh.se/publications/0698.pdf>
[120] Correct development of real-time embedded systems, IST-2001-33522 OMEGA.
<http://www-omega.imag.fr>
[121] VEESA project, IST-2001-37598, Deliverable D3: System Level Certification
[122] Stability analysis for hybrid automata using conservative gains, Rom Langerak, et al,
<http://www.nlr.nl/public/hosted-sites/hybridge/documents/R4.4%20final.pdf>
[123] Hybrid automata: An algorithmic approach to the specification and verification of hybrid
systems, Rajeev Alur, et al.
<http://www-cad.eecs.berkeley.edu/~tah/Publications/hybrid_automata.pdf>
[124] A. Pnueli, O. Shtrichman, and M. Siegel: The Code Validation Tool (CVT) - Automatic
verification of a compilation process. Journal of Software Tools for Technology Transfer
(STTT), Vol 2(2), pp 192-201, 1998
[125] W. Damm, B. Josko, H. Hungar, and A. Pnueli. A compositional real-time semantics of
STATEMATE designs. In W.-P. de Roever, H. Langmaack, and A. Pnueli, editors,
Proceedings COMPOS'97, Lecture Notes in Computer Science 1536, pages 186-238.
Springer-Verlag, 1998
[126] W. Damm, B. Josko, A. Pnueli, and A. Votintseva. Understanding UML: A Formal
Semantics of Concurrency and Communication in Real-Time UML. In Proceedings of the
First International Symposium on Formal Methods for Components and Objects (FMCO),
LNCS. Springer-Verlag, 2003.
[127] T. Bienmller, J. Bohn, H. Brinkmann, U. Brockmeyer, W. Damm, H. Hungar, and P.
Jansen. Verification of automotive control units. In E.-R. Olderog and B. Steffen, editors,
Correct System Design, volume 1710 of LNCS, pages 319-341. Springer Verlag, 1999.
[128] T. Bienmller, U. Brockmeyer, W. Damm, G. Dhmen, C. Emann, H.-J. Holberg, H.
Hungar, B.Josko, R. Schlr, G. Wittich, H. Wittke, G. Clements, J. Rowlands, and E.
Sefton. Formal Verification of an Avionics Application using Abstraction and Symbolic
Model Checking. In F. Redmill and T. Anderson, editors, Towards System Safety --
Proceedings of the Seventh Safety-critical Systems Symposium, Huntingdon, UK, pages
150-173. Safety-Critical Systems Club, Springer, 1999.
[129] W. Damm and M. Cohen. Advanced validation techniques meet complexity challenge in
embedded software development. Embedded Systems Journal, 2001.